Open jeremy-clerc opened 4 years ago
Hello,
Looking at #49, I can see that RPMs are signed which is great. Though I cannot find a reliable (imho) source validating the signing GPG Key.
For varnish-6.0.6-1.el7.x86_64.rpm, Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb https://keyserver.ubuntu.com/pks/lookup?search=0x60e7c096c4deffeb&fingerprint=on&op=index
varnish-6.0.6-1.el7.x86_64.rpm
Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb
I can see in different script that you pull C4DEFFEB (which is the shortcut for the same key). https://keyserver.ubuntu.com/pks/lookup?search=0xC4DEFFEB&fingerprint=on&op=index
C4DEFFEB
Fingerprint looks to be
pub 4096R/C4DEFFEB 2010-09-08 [expires: 2020-09-05] Key fingerprint = E98C 6BBB A1CB C5C3 EB2D F21C 60E7 C096 C4DE FFEB uid varnish-cache.org repository key <sysadmin@varnish-software.com>
Could you add the key and fingerprint to https://varnish-cache.org/security/gpg.html ? Or at least the fingerprint and where to get it in this repo README ?
Thanks!
This makes complete sense. We'll get this sorted.
Hello,
Looking at #49, I can see that RPMs are signed which is great. Though I cannot find a reliable (imho) source validating the signing GPG Key.
For
varnish-6.0.6-1.el7.x86_64.rpm
,Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb
https://keyserver.ubuntu.com/pks/lookup?search=0x60e7c096c4deffeb&fingerprint=on&op=indexI can see in different script that you pull
C4DEFFEB
(which is the shortcut for the same key). https://keyserver.ubuntu.com/pks/lookup?search=0xC4DEFFEB&fingerprint=on&op=indexFingerprint looks to be
Could you add the key and fingerprint to https://varnish-cache.org/security/gpg.html ? Or at least the fingerprint and where to get it in this repo README ?
Thanks!