[asterisk-dev] GPG signatures
Bill Merriam
lists at billmerriam.com
Fri Oct 6 07:14:59 MST 2006
Russell Bryant wrote:
> ----- Bill Merriam <lists at billmerriam.com> wrote:
>> The developers sign the release files with GPG. Is there someplace
>> their keys or fingerprints are listed so we can tell gpg we trust the
>> key?
>
> Yes. Our keys are on the keyserver, pgp.mit.edu.
>
I have copies of the keys from the key server but anybody can upload
keys to a keyserver. Best practices require that keys be verified via
another channel. The US-CERT publishes on their web site the
fingerprints plus the full keys and even offer to let you call them on
the phone and read the finger print to them for verification.
I would think that keys or fingerprints would be available on the
Asterisk.org or Digium web sites. Given that we ARE a voice centric
group Digium could provide an extension where a recorded message reads
the fingerprints of one or more key signing keys.
The difference between a good gpg signature and a TRUSTED signature is
that you trust the key because you have confirmed its authenticity.
Bill
More information about the asterisk-dev
mailing list