You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »


To assist our users in verifying the authenticity of our software releases, we digitally sign them.

Requirements

We have borrowed heavily from the release signing policy used by the ASF.

When generating your code signing key:

  1. Use a 4096 bit RSA key with SHA512 hash
  2. Use your real name, preferred email address, and "CODE SIGNING KEY" as the comment.
  3. Use a strong password to protect your key

Once generated, you should:

  • Keep your private key file on a safe, secure computer, and make sure you have a secure backup.
  • Never use this key for purposes other than code signing or signing other keys.

1. Generate Your Key

Carefully follow the instructions here to generate your key and check that SHA1 is avoided.

Tip: Popular binaries for GnuPG 2.x can be found here:

Note: After initially generating your key with GnuPG 2.x (gpg2), you can work with it using the more commonly-available 1.4.9 release (gpg).

2. Publish Your Public Key

To enable people to find your public key, you should publish it to a well-known keyserver.  Due to the deprecation of all SKS keyservers in 2019 we now have the options of the openpgp.org's server (Hagrid) or one of the hockeypuck servers. Depending on which keyserver you choose follow the command below.

In the efforts to reduce the publication of private information the Hagrid server will not reveal or allow searching with the email address a key is tied to without explicit approval. Because keyservers no longer store and distribute third-party signatures (those adding via signing someone's key) the "Web of trust" is harder to track. Therefore it is not necessary to reveal your email address when publishing your key unless you really want to.


HockeyPuck servers
gpg --keyserver keyserver.ubuntu.com --send-key [yourKeyID]

Hagrid server (OpenPGP)

Not revealing your email address
gpg --keyserver keys.openpgp.org --send-key [yourKeyID]
Publishing your email address with your key
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org

...where yourKeyID is the last 8 digits of your public key fingerprint.

This will upload your public key to a well-known keyserver, which will then trigger other connected keyservers to get a copy. 

3. Publish Your Key Fingerprint

Add your fingerprint to the Fedora Committers page.


  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.