Someone pointed out in #fedora that the fedoraproject.org/verify page specifically mentions only the old gpg signing key. This makes someone reading the page wonder if they have a trojanned download since, for example, the F10 beta ISO is signed with the new F10 test key. This short series fixes that by adding the old test key as well as the new F10 and F10 test keys to the fedora.gpg keyblock and updates the verify.html page to include reference to these new keys and which releases they are used to sign.
There is one somewhat unrelated patch in the series which simplifies importing the keys to gpg. I replaced wget ...; gpg --import fedora.gpg with a single curl ... | gpg --import.
fedoraproject.org/data/content/verify.html | 19 ++- fedoraproject.org/static/fedora.gpg | 211 ++++++++++++--------------- 2 files changed, 109 insertions(+), 121 deletions(-)
attachment 0001-Include-the-Fedora-10-keys-in-the-fedora.gpg-keybloc.patch
attachment 0002-Simplify-gpg-import-example-on-fp.o-verify-by-using.patch
attachment 0003-Update-verification-page-to-cover-new-F10-keys.patch
The first two patches have been applied, the last one is a string change, so it will have to wait for after the release.
Thanks a lot for the patches!
The last one has been applied now, thanks again for all of the fixes!
Login to comment on this ticket.