search

varnishcache / pkg-varnish-cache

Package building scripts for official Debian and Redhat packages of Varnish Cache.
21 stars 30 forks source link

RPM GPG Key / Fingerprint validation #140

Open jeremy-clerc opened 4 years ago

jeremy-clerc commented 4 years ago

Hello,

Looking at #49, I can see that RPMs are signed which is great. Though I cannot find a reliable (imho) source validating the signing GPG Key.

For varnish-6.0.6-1.el7.x86_64.rpm, Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb https://keyserver.ubuntu.com/pks/lookup?search=0x60e7c096c4deffeb&fingerprint=on&op=index

I can see in different script that you pull C4DEFFEB (which is the shortcut for the same key). https://keyserver.ubuntu.com/pks/lookup?search=0xC4DEFFEB&fingerprint=on&op=index

Fingerprint looks to be

pub   4096R/C4DEFFEB 2010-09-08 [expires: 2020-09-05]
      Key fingerprint = E98C 6BBB A1CB C5C3 EB2D  F21C 60E7 C096 C4DE FFEB
uid                  varnish-cache.org repository key <sysadmin@varnish-software.com>

Could you add the key and fingerprint to https://varnish-cache.org/security/gpg.html ? Or at least the fingerprint and where to get it in this repo README ?

Thanks!

espebra commented 4 years ago

This makes complete sense. We'll get this sorted.