Mercurial > p > roundup > code
diff tools/roundup.public.pgp.key @ 7428:186956a87ad7
issue2551279 - GPG support removed from pypi - rewrite pgp signature validation.
Added/updated documentation on using gpg signature files for the
distribution to security.txt.
Added signature files to main website/mercurial.
Removed verification documentation from public key file included in
distribution. key file now references security.txt/.html.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 29 May 2023 18:42:08 -0400 |
| parents | 1e004afe87bb |
| children |
line wrap: on
line diff
--- a/tools/roundup.public.pgp.key Mon May 29 18:12:50 2023 -0400 +++ b/tools/roundup.public.pgp.key Mon May 29 18:42:08 2023 -0400 @@ -1,51 +1,9 @@ -This is the public PGP/GPG key used to sign Roundup distributions. It -is used starting with the 1.6.0 release. (Note in this file the @ sign -in emails have been replaced with the word "at".) - -Key info: Roundup Team (signing key for roundup releases) - <roundup-devel at lists.sourceforge.net> -RSA key ID: 756A76D8 -Expires: 2028-07-17 -Key fingerprint = 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8 - -Import the key in this file using: - - gpg --import roundup.public.pgp.key - -Then you can use it to verify a downloaded Roundup release from pypi. -Get the url of the release from: - - https://pypi.org/project/roundup - -Example (note there is no 1.5.7 release): - - https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz +This is the public PGP/GPG key used to sign Roundup distributions. +See the Security document at: -download the file then download: - - https://files.pythonhosted.org/packages/bf/14/d61fac5ed2aaca8c720ac4d4077428b8fdafa356089516ba9ee630975d2a/roundup-1.5.7.tar.gz.asc - -(same url as the file with .asc added at the end). - -To verify the tar file run: - - gpg --verify roundup-1.5.7.tar.gz.asc roundup-1.5.7.tar.gz - -and you should see: + https://www.roundup-tracker.org/docs/security.html - gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8 - gpg: checking the trustdb - [...] - gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" - [...] - -which verifies the tarball integrity. If something is wrong you will see: - - gpg: Signature made Wed 11 Jul 2018 08:40:06 PM EDT using RSA key ID 756A76D8 - gpg: BAD signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" - -*do not use* the tarball if the signature is BAD. Email the -roundup-devel mailing list if there is a problem. +for details on how to use it. -----BEGIN PGP PUBLIC KEY BLOCK-----