← Back to index | Original Bugzilla link

Bug 24322 – The keys actually used to sign the downloads are missing from gpg_keys.html

Status
NEW
Severity
normal
Priority
P1
Component
dlang.org
Product
D
Version
D2
Platform
x86
OS
Windows
Creation time
2024-01-07T22:01:46Z
Last change time
2024-12-15T15:28:04Z
Assigned to
No Owner
Creator
Forest
Moved to GitHub: dlang.org#4001 →

Comments

Comment #0 by forestix — 2024-01-07T22:01:46Z
https://dlang.org/gpg_keys.html lists a bunch of gpg key fingerprints, but none of them match the signatures offered on download.html. Closer inspection reveals that the signatures were made by subkeys, and since gpg_keys.html omits the subkey fingerprints, it cannot be used to check that the signatures are good. In other words, gpg_keys.html is currently useless, and can even lead someone to think the downloads might have been tampered with. Suggestion: Regenerate gpg_keys.html using the output of gpg --list-keys --with-subkey-fingerprint
Comment #1 by robert.schadek — 2024-12-15T15:28:04Z
THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/dlang.org/issues/4001 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB