To assist our users in verifying the authenticity of our software releases, we digitally sign them. As of Fedora 3.3, this is part of the Fedora Release Process, and requires that the committer doing the final build for distribution uses their code signing key. RequirementsWe have borrowed heavily from the release signing policy used by the ASF. When generating your code signing key:
Once generated, you should:
1. Generate Your KeyCarefully follow the instructions here to generate your key and check that SHA1 is avoided. Tip: Popular binaries for GnuPG 2.x can be found here: Note: After initially generating your key with GnuPG 2.x (gpg2), you can work with it using the more commonly-available 1.4.9 release (gpg). 2. Publish Your Public KeyTo enable people to find your public key, you should publish it. This is a simple command with gpg: gpg --send-key [keyID] This will upload your public key to a well-known keyserver, which will then trigger other connected keyservers to get a copy. You can verify the availability of your public key by searching for your name in one of the keyservers in the SKS network. 3. Publishing Your Key Fingerprint |