NEW 212027
[WPE][GTK] Use project-wide GPG key to sign releases, and upload it in binary format on webkitgtk.org/wpewebkit.org 
https://bugs.webkit.org/show_bug.cgi?id=212027
Summary [WPE][GTK] Use project-wide GPG key to sign releases, and upload it in binary...
Michael Catanzaro
Reported 2020-05-18 08:18:21 PDT
Currently releases are signed with Carlos's (or Adrian's) personal GPG key. Carlos's key also uses weak signing algorithms, which isn't great. Ideally we would refresh this with a WebKitGTK project key (and WPE WebKit project key, which might be the same). Fedora packaging guidelines https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification require that the GPG key is uploaded in binary format (not PEM) to some website, so I've been using people.gnome.org to host Carlos's key. Ideally, the project key would be hosted on webkitgtk.org/wpewebkit.org. This is what I have currently in our RPM spec: # Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3 Source2: https://people.gnome.org/~mcatanzaro/gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2020-05-18 08:21:46 PDT
(In reply to Michael Catanzaro from comment #0) > Fedora packaging guidelines > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_source_file_verification require that the GPG key is uploaded in binary > format (not PEM) to some website Well, it's actually not just a key, it's a GPG keyring containing a single key. I guess a project keyring containing multiple individual keys would work as well.
Note You need to log in before you can comment on or make changes to this bug.