[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PGP Keys

On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:

Do anybody knows where I could get the PGP keys to verify the integrity of the source code I downloaded from a mirror?

PGP is not used to sign releases or release announcements.

To verify the integrity of a tarball download from ftp.openldap.org or a mirror, you can check it against the SSHA1 and/or MD5 hashes published as part of the announcement for the release (posted to openldap-announce@openldap.org , archived in that list's archives).

Hash verification is not intended to detect instances where openldap.org hosted services have been hijacked or otherwise seriously compromised.

-- Kurt