you should get people to sign your key too, create a "web of trust". d.
> -----Original Message----- > From: Noel J. Bergman [mailto:[EMAIL PROTECTED]] > Sent: 02 January 2003 17:46 > To: James Developers List > Subject: Distribution signing > > > > > do I simply make for myself an ad hoc key and stick it in a file? > > > Do we have a KEY file already, with keys for previous Release > Managers? > > > I don't believe it has ever been done for James. > > It is however highly recommended. > > The real danger was that someone would add trojon horse to builds > > And that danger increases with the push to use mirrors for downloading. > > I went ahead and used GnuPG, created a new key for signing, > prepared a KEYS > file, signed the distribution files following the instuctions on the GnuPG > site, and uploaded the KEYS and digital signatures to the download > directories. Also setup a HEADER.html and README.html. > > I did not use the same key that I use for SSH. The key I generated is > unique to file signing. > > I'll update KEYS, HEADER.html and README.html files into the CVS. > > --- Noel > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
