Closed JarrahG closed 3 years ago
All tags are signed via the same gpg key. See the verified tag on the right at https://github.com/tpm2-software/tpm2-totp/tags The same keys are used for tar-balls.
How does tpm2-tools do it differently ?
The easiest way to obtain the public keys is downloading them from GitHub: https://github.com/AndreasFuchsSIT.gpg, https://github.com/diabonas.gpg. They are also uploaded to the SKS keyserver network: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd6b4d8bac7e0cc97dcd4ac7272e88b53f7a95d84, https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xfe2e6249201ca54a4fb90d066e80ca1446879d04.
I have also noticed that none of the other Linux distributions are using GPG verification of the release tarballs.
FWIW, Arch Linux does: https://github.com/archlinux/svntogit-community/blob/ee31233085018f15bf3781dfb1134a0b7bce2835/trunk/PKGBUILD#L15-L16
How does tpm2-tools do it differently ?
They have a tag for each contributor containing their public key. Though, thanks to diabonas, that seems redundant. I didn't realize you can get the gpg key for a user by adding ".gpg" to their github profile.
Thanks.
I'm currently trying to package TPM2-TOTP for QubesOS. As part of this, I would like to verify the source code as released. However, I've been unable to find the public key used to sign releases. I have also noticed that none of the other Linux distributions are using GPG verification of the release tarballs. Would it be possible to either reply to this issue with the public key or commit it to the repository in a similar way as TPM2-Tools?
Thanks for your work on this.