From: Michael Roth <michael.roth@amd.com>
To: <qemu-devel@nongnu.org>
Cc: <pbonzini@redhat.com>, <peter.maydell@linaro.org>,
<thuth@redhat.com>, <stefanha@redhat.com>
Subject: [qemu-web PATCH] Add public key for tarball-signing to download page
Date: Tue, 3 May 2022 19:21:29 -0500 [thread overview]
Message-ID: <20220504002129.286001-1-michael.roth@amd.com> (raw)
We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.
That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.
Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.
Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
_download/source.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
</pre>
{% endfor %}
+ <p>Source tarballs on this site are generated and signed by the package maintainer using the public key <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584">F108B584</a>. This key is also used to tag the QEMU stable releases in the official QEMU gitlab mirror, and so can be verified through git as well if there are concerns about the authenticity of this information.</p>
<p>To download and build QEMU from git:</p>
<pre>git clone https://gitlab.com/qemu-project/qemu.git
cd qemu
--
2.25.1
next reply other threads:[~2022-05-04 0:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 0:21 Michael Roth [this message]
2022-05-04 6:31 ` [qemu-web PATCH] Add public key for tarball-signing to download page Thomas Huth
2022-05-04 9:25 ` Stefan Hajnoczi
2022-05-04 10:40 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220504002129.286001-1-michael.roth@amd.com \
--to=michael.roth@amd.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).