Open maltfield opened 2 months ago
I have uploaded and verified our key at https://keys.openpgp.org/. We should also upload it to our website. Regarding other domains: Twitter doesn’t provide enough space for all the information I want to include, so I have added the fingerprint to Mastodon. However, I don't really use YouTube, Instagram, or Keybase.
We have some YouTube videos here on how to verify releases here , but we probably need to put together some documentation as well.
Thanks!
Yeah, I definitely think text documentation takes priority over video documentation. It's more accessible.
Is there an existing request for feature?
What feature would you like?
This ticket is a request to:
Why?
It's possible for a very powerful adversary to compromise your release infrastructure (or the infrastructure between the server and the client) and get a new session user to download a malicious version of the release, signature, and the release signing key -- but it's exponentially more difficult for them to compromise multiple distinct domains.
Remember: monero's release infrastructure has already been comprimised once. And here's a great list of historically relevant cases where this happened:
Part One: Making key available out-of-band
SKS Keyservers
I found that I could obtain your key from Ubuntu's SKS Keyserver. This is great!
Nothing to do here.
https://keys.openpgp.org/
keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist certificate spamming attacks
Unfortunately, I could not search for your key on this server by email address because it looks like you've never verified the email address.
Please verify your email address by clicking the link sent to the uid of the key (
kee@oxen.io
) as described here:Mastodon
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to one of your Mastodon account's "profile fields" (eg a new field named "PGP" in addition to "Website", "Download", "Youtube", Odysee")Twitter
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your twitter profile descriptionInstagram
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your instagram profile descriptionYouTube
Please add your public keys' full fingerprint (
FC2821DE35BD839E93D3AE7650F7890BCDED90AB
) to your YouTube profile descriptionOther domains
I do recommend adding your key to as many other domains as possible, including:
The more domains you upload it to, the better.
Part Two: Documenting it
After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to enumerate all of these locations and write a paragraph describing how the user can mitigate the risk of compromised infrastructure by cross-checking the integrity of the key across multiple domains.
Anything else?
No response