Mercurial > p > roundup > code
comparison tools/roundup.public.pgp.key @ 7428:186956a87ad7
issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
Added/updated documentation on using gpg signature files for the
distribution to security.txt.
Added signature files to main website/mercurial.
Removed verification documentation from public key file included in
distribution. key file now references security.txt/.html.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 29 May 2023 18:42:08 -0400 |
| parents | 1e004afe87bb |
| children |
comparison
equal
deleted
inserted
replaced
| 7427:36916abe36e9 | 7428:186956a87ad7 |
|---|---|
| 1 This is the public PGP/GPG key used to sign Roundup distributions. It | 1 This is the public PGP/GPG key used to sign Roundup distributions. |
| 2 is used starting with the 1.6.0 release. (Note in this file the @ sign | 2 See the Security document at: |
| 3 in emails have been replaced with the word "at".) | |
| 4 | 3 |
| 5 Key info: Roundup Team (signing key for roundup releases) | 4 https://www.roundup-tracker.org/docs/security.html |
| 6 <roundup-devel at lists.sourceforge.net> | |
| 7 RSA key ID: 756A76D8 | |
| 8 Expires: 2028-07-17 | |
| 9 Key fingerprint = 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8 | |
| 10 | 5 |
| 11 Import the key in this file using: | 6 for details on how to use it. |
| 12 | |
| 13 gpg --import roundup.public.pgp.key | |
| 14 | |
| 15 Then you can use it to verify a downloaded Roundup release from pypi. | |
| 16 Get the url of the release from: | |
| 17 | |
| 18 https://pypi.org/project/roundup | |
| 19 | |
| 20 Example (note there is no 1.5.7 release): | |
| 21 | |
| 22 https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz | |
| 23 | |
| 24 download the file then download: | |
| 25 | |
| 26 https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz.asc | |
| 27 | |
| 28 (same url as the file with .asc added at the end). | |
| 29 | |
| 30 To verify the tar file run: | |
| 31 | |
| 32 gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz | |
| 33 | |
| 34 and you should see: | |
| 35 | |
| 36 gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8 | |
| 37 gpg: checking the trustdb | |
| 38 [...] | |
| 39 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" | |
| 40 [...] | |
| 41 | |
| 42 which verifies the tarball integrity. If something is wrong you will see: | |
| 43 | |
| 44 gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8 | |
| 45 gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" | |
| 46 | |
| 47 *do not use* the tarball if the signature is BAD. Email the | |
| 48 roundup-devel mailing list if there is a problem. | |
| 49 | 7 |
| 50 -----BEGIN PGP PUBLIC KEY BLOCK----- | 8 -----BEGIN PGP PUBLIC KEY BLOCK----- |
| 51 | 9 |
| 52 mQINBFtGmH4BEADSLfyuTuAMhaTpNkndkkaQTa5CYIS3QMTO5fsk1+EiRe8BlIZO | 10 mQINBFtGmH4BEADSLfyuTuAMhaTpNkndkkaQTa5CYIS3QMTO5fsk1+EiRe8BlIZO |
| 53 GbBYjs9eLn48SLHl+TyM2pNo/9Yr5Jh3/frbARAOg4wwZLagG5w4KKVY2oxxbJla | 11 GbBYjs9eLn48SLHl+TyM2pNo/9Yr5Jh3/frbARAOg4wwZLagG5w4KKVY2oxxbJla |