Ticket #11 (new enhancement)
Fedora Contributor Keyring
|Reported by:||till||Owned by:||somebody|
In FAS a user only needs to provide the short gpg key ID and other users can query this id. But this is not enough information to verify a gpg key. It would be better to ask for the fingerprint of the key. Afaik is the key id even part of the fingerprint for rsa keys.
Also it would be nice, when there would be an FAS gpg key that signs all keys of all maintainers. For this after the fingerprint was provided, the key should be fetched, the fingerprint compared and the user id that fits to the provided e-mail address be signed with the FAS gpg key. Then this signature should be send encrypted to the recipients gpg key to the provided e-mail address. Now the maintainer should decrypt the signature and send it to a keyserver. Maybe there is also a way to document the FAS username in the signature.