[Date Prev][Date Next]
Re: PGP Keys
- To: firstname.lastname@example.org
- Subject: Re: PGP Keys
- From: Michael Ströder <email@example.com>
- Date: Sun, 03 Aug 2008 12:40:48 +0200
- In-reply-to: <20080730175023.GL374@gunboat-diplomat.oucs.ox.ac.uk>
- References: <9DD36C99332AB7438F8D73C048D8C62C012B0AB4@sneezy.ad.e-dialog.com> <2EEEF37F-D7C3-439F-96B9-D5D160FBF7D1@OpenLDAP.org> <20080730175023.GL374@gunboat-diplomat.oucs.ox.ac.uk>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11) Gecko/20080702 SeaMonkey/1.1.11
Dominic Hargreaves wrote:
On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
Do anybody knows where I could get the PGP keys to verify the
integrity of the source code I downloaded from a mirror?
PGP is not used to sign releases or release announcements.
To verify the integrity of a tarball download from ftp.openldap.org or
a mirror, you can check it against the SSHA1 and/or MD5 hashes
published as part of the announcement for the release (posted to
firstname.lastname@example.org , archived in that list's archives).
Hash verification is not intended to detect instances where
openldap.org hosted services have been hijacked or otherwise seriously
However only offering the option to verify the hashes using unsigned
emails or non-https publications on a web site is offering up many
more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard
practice in many (most?) projects and I would like to see it offered by
I'd support the approach with digitally signing the source tar.gz files.
I'm doing it for years when releasing web2ldap source packages. It's
just part of a simple script. Therefore I've filed ITS#5639 for that.