Hey, thanks for your answer. I have just tried to gpg-verify the .deb package now and realized it is signed inside!
Thank you. Sébastien Blin: > On https://jami.net/download-jami-linux/ you can directly see the key > used to sign packages (A295D773307D25A33AE72F2F64CD5FA175348F84) > > For fedora: > > AmarOk@localhost ~ rpm -qpi > ~/Downloads/ring-20190215.1.07c9194-1.fc29.x86_64.rpm | grep Signature > Signature : RSA/SHA512, Fri 15 Feb 2019 08:09:10 PM EST, Key ID > 64cd5fa175348f84 > > > > > On 2/24/19 7:52 AM, amuza wrote: >> >> amuza: >>> Hi, >>> >>> I have not found your OpenPGP keys or signed packages at jami.org >>> >>> Maybe they are there and I have not found them. Please let me know if >>> you gpg-sign your packages. >>> >>> Thank you! >>> >>> >> As I got no answer, I guess you don't sign your packages. >> >> But, if that's the case, why? >> >> It would be good for every Jami user to have a public key we can always >> trust when verifying a Jami package. Wouldn't it? >> >> That is a very common thing, specially for this kind of software. Not >> having it can make existing and potential new Jami users feel suspicious >> or less secure. >> >> Of course we users would need to trust the signer, maybe by trusting >> some other signature in their key, but that's a complete different story. >> >> >>
