lyoshenka
commented
1 year ago thanks @RubenKelevra for this PR. can you explain why its best to have a separate repo for PGP keys rather than including it directly on the page?
Open RubenKelevra opened 1 year ago
lyoshenka
commented
1 year ago thanks @RubenKelevra for this PR. can you explain why its best to have a separate repo for PGP keys rather than including it directly on the page?
RubenKelevra
commented
1 year ago thanks @RubenKelevra for this PR. can you explain why its best to have a separate repo for PGP keys rather than including it directly on the page?
Sure. The idea is to make it harder for an attacker to modify the binary and the pgp key. If the pgp key is stored in a git on Github either Github itself would need to be compromised or the git needs to be modified, additionally to the webpage.
What I did
— Remove non-working link to keybase.io — Add key ID — Add raw-link to the key file in pgp-keys — Remove not self-signed PGP key in code box (having a single source for the PGP key and the key ID is a bad habit) — Move security reporting link to the bottom
Why I did that
Fixes #1503
To-Do before merge
— A new GitHub repo 'pgp-keys' under lbryio needs to be created — The public key file needs to be signed by the
0x73000EAE82F4283AAF1FCC516CB639B5FFE02E7Ekey (self-signature) — The signed public key needs to be stored in the master branch of 'pgp-keys' as lbry-key.asc