GPG key for 2.1.28 signature #710
Comments
|
Hello, The public key is in the MIT keyserver. Is there another public keyserver for GPG keys you think would be good to use? Personally, I prefer having a project GPG key rather than individual keys. |
|
I've added it to the ubuntu keyserver as well |
|
Thanks - I've got the key now and can verify it. But it'd be best if the download guidance said explicitly which keys are allowed to sign releases - if you just rely on people downloading whatever key it happened to be signed with, then that doesn't protect you against someone else signing a fake release. |
|
I'm unfortunately facing this issue as well and find myself in a stuck position to update the distro package as the chain of trust is broken. I would like to kindly ask if it would be possible of the key owner of |
|
Hello @anthraxx, apologies for this confusion. Here's the signed clear-text of the message |
|
@ajaysusarla Thank you very much for preserving the chain of trust, I can proceed with the upgrade now 🐱 |
Remove all patches (none seemed essential or had a specific note as to why they were needed). Remove all configuration used by extra/cyrus-sasl. Remove all unused split packages and turn PKGBUILD into single package build script. Add DEA1999F0CDB1AAEBA001E0DBEE3E3B4D2F06546 to validpgpkeys, for which a chain of trust has been established in cyrusimap/cyrus-sasl#710 (comment). Add note about relationshipt with extra/cyrus-sasl. Add debug package. Remove unneeded quotes and curly braces. Order configure options alphabetically. Update maintainer info. git-svn-id: file:///srv/repos/svn-packages/svn@444300 eb2447ed-0c53-47e4-bac8-5bc4a241df78
Remove all patches (none seemed essential or had a specific note as to why they were needed). Remove all configuration used by extra/cyrus-sasl. Remove all unused split packages and turn PKGBUILD into single package build script. Add DEA1999F0CDB1AAEBA001E0DBEE3E3B4D2F06546 to validpgpkeys, for which a chain of trust has been established in cyrusimap/cyrus-sasl#710 (comment). Add note about relationshipt with extra/cyrus-sasl. Add debug package. Remove unneeded quotes and curly braces. Order configure options alphabetically. Update maintainer info. git-svn-id: file:///srv/repos/svn-packages/svn@444300 eb2447ed-0c53-47e4-bac8-5bc4a241df78
Remove all patches (none seemed essential or had a specific note as to why they were needed). Remove unused libsasl split package. Add DEA1999F0CDB1AAEBA001E0DBEE3E3B4D2F06546 to validpgpkeys, for which a chain of trust has been established in cyrusimap/cyrus-sasl#710 (comment). Add note about relationship with core/libsasl. Add debug package. Remove unneeded quotes and curly braces. Simplify calls to make. Install man pages using the dedicated make target instead of copying them manually. Order configure options alphabetically. Add dependencies more specifically and also add sodeps. Update maintainer info. git-svn-id: file:///srv/repos/svn-packages/svn@444302 eb2447ed-0c53-47e4-bac8-5bc4a241df78
Remove all patches (none seemed essential or had a specific note as to why they were needed). Remove unused libsasl split package. Add DEA1999F0CDB1AAEBA001E0DBEE3E3B4D2F06546 to validpgpkeys, for which a chain of trust has been established in cyrusimap/cyrus-sasl#710 (comment). Add note about relationship with core/libsasl. Add debug package. Remove unneeded quotes and curly braces. Simplify calls to make. Install man pages using the dedicated make target instead of copying them manually. Order configure options alphabetically. Add dependencies more specifically and also add sodeps. Update maintainer info. git-svn-id: file:///srv/repos/svn-packages/svn@444302 eb2447ed-0c53-47e4-bac8-5bc4a241df78
|
Is this question now fixed? Has a PR been submitted? Or did you say that after the plan, the plan was modified? |
cyrus-sasl-2.1.28.tar.gz.sigis signed with a different private key from previous releases - presumably @quanah's.There's no mention of the change in the release notes, and no indication of where to get the corresponding public key from in the tarball download instructions, so it's not possible to verify this signature at the moment. Would it be possible to add a keyring (or a reference to an external keyserver) somewhere?
The text was updated successfully, but these errors were encountered: