Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPM GPG Key / Fingerprint validation #140

Open
jeremy-clerc opened this issue May 12, 2020 · 1 comment
Open

RPM GPG Key / Fingerprint validation #140

jeremy-clerc opened this issue May 12, 2020 · 1 comment

Comments

@jeremy-clerc
Copy link

Hello,

Looking at #49, I can see that RPMs are signed which is great. Though I cannot find a reliable (imho) source validating the signing GPG Key.

For varnish-6.0.6-1.el7.x86_64.rpm, Signature : RSA/SHA1, Fri 31 Jan 2020 12:29:02 PM UTC, Key ID 60e7c096c4deffeb
https://keyserver.ubuntu.com/pks/lookup?search=0x60e7c096c4deffeb&fingerprint=on&op=index

I can see in different script that you pull C4DEFFEB (which is the shortcut for the same key).
https://keyserver.ubuntu.com/pks/lookup?search=0xC4DEFFEB&fingerprint=on&op=index

Fingerprint looks to be

pub   4096R/C4DEFFEB 2010-09-08 [expires: 2020-09-05]
      Key fingerprint = E98C 6BBB A1CB C5C3 EB2D  F21C 60E7 C096 C4DE FFEB
uid                  varnish-cache.org repository key <[email protected]>

Could you add the key and fingerprint to https://varnish-cache.org/security/gpg.html ? Or at least the fingerprint and where to get it in this repo README ?

Thanks!
@espebra
Copy link

espebra commented May 13, 2020

This makes complete sense. We'll get this sorted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@espebra @jeremy-clerc