search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.83k stars 2.13k forks source link

Signing releases #16556

Closed aerusso closed 1 year ago

aerusso commented 1 year ago

Description:

Hello! I apologize if this is somewhere, but I cannot seem to find it if it exists. I would like to cryptographically verify the releases of matrix-synapse. I can see that the release-tagged commits are signed, but I cannot seem to find public information on which key(s) I should trust signatures from. Ideally, there would be a link in the readme to some web page on matrix.org listing a public key, and the tags are signed with that key. Even better if that same pgp key is used to sign everything (packages, release tags, etc.).

Thanks for the great work!

clokep commented 1 year ago

The debian packages are signed: https://matrix-org.github.io/synapse/latest/setup/installation.html#matrixorg-packages

Can you provide more info about what sort of install you're using?

DMRobertson commented 1 year ago

Is this basically https://github.com/matrix-org/synapse/issues/15994 ?

aerusso commented 1 year ago

Oh shoot, yes. Sorry, I did not mean to open a second issue (I actually completely forgot that I already did that). I'll go ahead and close since it's a duplicate.