jwijenbergh
commented
1 year ago Hey! Thanks, this is something I overlooked to document as these signatures are right now mainly verified in our own package builders.
Thanks a lot for updating your AUR packages (and so quickly!). The keys have just been uploaded here https://github.com/eduvpn/eduvpn-common/tree/main/keys, maybe you can then push the GPG key within the AUR packages (or hardcode it in the pkgbuild?) so that you immediately notice if it has changed.
They are available on external sources too (so that this repo is not a single source of truth), e.g. https://app.eduvpn.org/linux/v4/deb/app+linux@eduvpn.org.asc and https://git.sr.ht/~jwijenbergh/python3-eduvpn-common.rpm/tree/main/item/SOURCES/minisign-CA9409316AC93C07.pub.
Keyservers is possible, but also not the most secure way.
Apologies for replying so late, I did not get a notification for some reason.
I will make sure this is all better documented
hv15
Hi, I've packaged this for ArchLinux and noticed that the PGP detached signature for the release 1.0.0 uses a public key (0x02BB8048BBFF222C) that isn't published on the major key servers. Is the public key located somewhere public? Thanks!