[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jami] Signed packages
|
From: |
amuza |
|
Subject: |
Re: [Jami] Signed packages |
|
Date: |
Sun, 24 Feb 2019 14:54:00 +0000 |
Hey, thanks for your answer.
I have just tried to gpg-verify the .deb package now and realized it is
signed inside!
Thank you.
Sébastien Blin:
> On https://jami.net/download-jami-linux/ you can directly see the key
> used to sign packages (A295D773307D25A33AE72F2F64CD5FA175348F84)
>
> For fedora:
>
> AmarOk@localhost ~ rpm -qpi
> ~/Downloads/ring-20190215.1.07c9194-1.fc29.x86_64.rpm | grep Signature
> Signature : RSA/SHA512, Fri 15 Feb 2019 08:09:10 PM EST, Key ID
> 64cd5fa175348f84
>
>
>
>
> On 2/24/19 7:52 AM, amuza wrote:
>>
>> amuza:
>>> Hi,
>>>
>>> I have not found your OpenPGP keys or signed packages at jami.org
>>>
>>> Maybe they are there and I have not found them. Please let me know if
>>> you gpg-sign your packages.
>>>
>>> Thank you!
>>>
>>>
>> As I got no answer, I guess you don't sign your packages.
>>
>> But, if that's the case, why?
>>
>> It would be good for every Jami user to have a public key we can always
>> trust when verifying a Jami package. Wouldn't it?
>>
>> That is a very common thing, specially for this kind of software. Not
>> having it can make existing and potential new Jami users feel suspicious
>> or less secure.
>>
>> Of course we users would need to trust the signer, maybe by trusting
>> some other signature in their key, but that's a complete different story.
>>
>>
>>