qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[qemu-web PATCH] Add public key for tarball-signing to download page


From: Michael Roth
Subject: [qemu-web PATCH] Add public key for tarball-signing to download page
Date: Tue, 3 May 2022 19:21:29 -0500

We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.

That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.

Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.

Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
 _download/source.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
 </pre>
        {% endfor %}
 
+       <p>Source tarballs on this site are generated and signed by the package 
maintainer using the public key <a 
href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584";>F108B584</a>.
 This key is also used to tag the QEMU stable releases in the official QEMU 
gitlab mirror, and so can be verified through git as well if there are concerns 
about the authenticity of this information.</p>
        <p>To download and build QEMU from git:</p>
 <pre>git clone https://gitlab.com/qemu-project/qemu.git
 cd qemu
-- 
2.25.1




reply via email to

[Prev in Thread] Current Thread [Next in Thread]