[PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

The key is available at:
https://github.com/bachradsusi.gpg
https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg

Also update the email address

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 SECURITY.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 2a7ce5b317a7..faa060ccff03 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
 the issue before it is made public, but we will make every effort to address
 the issue as quickly as possible and shorten the disclosure window.
 
-* Petr Lautrbach, plautrba@redhat.com
+* Petr Lautrbach, lautrbach@redhat.com
+  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
 * Nicolas Iooss, nicolas.iooss@m4x.org
   *  (GPG fingerprint) E25E 254C 8EE4 D303 554B  F5AF EC70 1A1D A494 C5EB
 * Jeffrey Vander Stoep, jeffv@google.com
-- 
2.52.0

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> The key is available at:
> https://github.com/bachradsusi.gpg
> https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg
>
> Also update the email address
>
> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
> ---
>  SECURITY.md | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/SECURITY.md b/SECURITY.md
> index 2a7ce5b317a7..faa060ccff03 100644
> --- a/SECURITY.md
> +++ b/SECURITY.md
> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
>  the issue before it is made public, but we will make every effort to address
>  the issue as quickly as possible and shorten the disclosure window.
>
> -* Petr Lautrbach, plautrba@redhat.com
> +* Petr Lautrbach, lautrbach@redhat.com
> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E

I think you may want to list the fingerprint of your primary key and
not a subkey, as the primary key is what carries the signatures and
helps verify trust.

>  * Nicolas Iooss, nicolas.iooss@m4x.org
>    *  (GPG fingerprint) E25E 254C 8EE4 D303 554B  F5AF EC70 1A1D A494 C5EB
>  * Jeffrey Vander Stoep, jeffv@google.com
> --
> 2.52.0

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>
>> The key is available at:
>> https://github.com/bachradsusi.gpg
>> https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg
>>
>> Also update the email address
>>
>> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
>> ---
>>  SECURITY.md | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/SECURITY.md b/SECURITY.md
>> index 2a7ce5b317a7..faa060ccff03 100644
>> --- a/SECURITY.md
>> +++ b/SECURITY.md
>> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
>>  the issue before it is made public, but we will make every effort to address
>>  the issue as quickly as possible and shorten the disclosure window.
>>
>> -* Petr Lautrbach, plautrba@redhat.com
>> +* Petr Lautrbach, lautrbach@redhat.com
>> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>
> I think you may want to list the fingerprint of your primary key and
> not a subkey, as the primary key is what carries the signatures and
> helps verify trust.
>

I guess I need help then:

$ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
pub   rsa4096/63A8AD4B982C4373 2012-04-03 [SC]
      Key fingerprint = E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
      Keygrip = 6BC6915CA93F20709BC8B5020B8E22D7E6ED2F94
uid                            Petr Lautrbach <plautrba@redhat.com>
sub   rsa4096/06C3AB0B84CA81FE 2017-12-05 [A]
      Keygrip = 04808A09AA88E1CB0055033ACBC0A27D4ED46237
sub   rsa4096/BE22091E3EF62275 2017-12-05 [S]
      Keygrip = 56BA5B9D06707CA797DD4380A7ED91A95ED233CE
sub   rsa4096/7C4D5CA6A1BC4B25 2012-04-03 [E]
      Keygrip = B0FED3D171572C546D4601AB94C1852E46A02FE6

pub   rsa4096/BC3905F235179CF1 2022-10-26 [SC] [expired: 2024-10-25]
      Key fingerprint = B868 2847 764D F60D F52D  992C BC39 05F2 3517 9CF1
      Keygrip = FA0CE92171EEBAC2DD084E6399F18709A2F7353B
uid                            Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096/F1B73DE3D81A529B 2022-10-26 [E] [expired: 2024-10-25]
      Keygrip = 3A28778B1F09A154888A372BE543AB2CA12BB4F1
sub   rsa4096/2F2D5A2B6D4CC2C5 2022-10-26 [A] [expired: 2024-10-25]
      Keygrip = E5B12C87E5760AC68443C63D620AD3E407A67FA7
sub   rsa4096/4695881C254508D1 2022-10-26 [S] [expired: 2024-10-25]
      Keygrip = 55F576834D965A315EC66BF1327BAA810A5A2587

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096/FB4C685B5DC1C13E 2024-11-04 [SC] [expires: 2026-11-04]
      Key fingerprint = 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
      Keygrip = 834230A0854D7A8698B5432C007560FE7AECC504
uid                            Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096/C500C028A770AB66 2024-11-04 [E] [expires: 2026-11-04]
      Keygrip = 2EF1D48B43E234CAAE155A0AD032C00063FCB102
sub   rsa4096/CDCAE8C927C6BE31 2024-11-04 [S] [expires: 2026-11-04]
      Keygrip = CAE3E6B80FFD15958C813CC635CFFDF9F86D9C17
sub   rsa4096/37BCD711A64B2890 2024-11-04 [AR] [expires: 2026-11-04]
      Keygrip = 850707DAF56607DEABD28933FD0A77D382923F1C



I'm looking at the last one Petr Lautrbach <lautrbach@redhat.com>
[expires: 2026-11-04] 



>>  * Nicolas Iooss, nicolas.iooss@m4x.org
>>    *  (GPG fingerprint) E25E 254C 8EE4 D303 554B  F5AF EC70 1A1D A494 C5EB
>>  * Jeffrey Vander Stoep, jeffv@google.com
>> --
>> 2.52.0
>
> -- 
> paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >>
> >> The key is available at:
> >> https://github.com/bachradsusi.gpg
> >> https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg
> >>
> >> Also update the email address
> >>
> >> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
> >> ---
> >>  SECURITY.md | 3 ++-
> >>  1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/SECURITY.md b/SECURITY.md
> >> index 2a7ce5b317a7..faa060ccff03 100644
> >> --- a/SECURITY.md
> >> +++ b/SECURITY.md
> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
> >>  the issue before it is made public, but we will make every effort to address
> >>  the issue as quickly as possible and shorten the disclosure window.
> >>
> >> -* Petr Lautrbach, plautrba@redhat.com
> >> +* Petr Lautrbach, lautrbach@redhat.com
> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
> >
> > I think you may want to list the fingerprint of your primary key and
> > not a subkey, as the primary key is what carries the signatures and
> > helps verify trust.
> >
>
> I guess I need help then:
>
> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg

You want to use the key fingerprint which displays when you run 'gpg
--fingerprint <email>'.  Assuming you have the keys for the other devs
in your keyring, you'll notice that command can be used to reproduce
the other fingerprints in the file.

%  gpg --fingerprint plautrba@redhat.com
pub   rsa4096 2012-04-03 [SC]
     E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
sub   rsa4096 2012-04-03 [E]
sub   rsa4096 2017-12-05 [S]
sub   rsa4096 2017-12-05 [A]
%  gpg --fingerprint paul@paul-moore.com
pub   rsa4096 2011-10-10 [SC]
     7100 AADF AE6E 6E94 0D2E  0AD6 55E4 5A5A E8CA 7C8A
uid           [ultimate] Paul Moore <paul@paul-moore.com>
uid           [ultimate] Paul Moore <pcmoore@umich.edu>
sub   rsa4096 2018-10-15 [E]
sub   rsa4096 2018-10-15 [S]
sub   rsa4096 2020-06-19 [A]

> >>  * Nicolas Iooss, nicolas.iooss@m4x.org
> >>    *  (GPG fingerprint) E25E 254C 8EE4 D303 554B  F5AF EC70 1A1D A494 C5EB
> >>  * Jeffrey Vander Stoep, jeffv@google.com
> >> --
> >> 2.52.0

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> Paul Moore <paul@paul-moore.com> writes:
>> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >>
>> >> The key is available at:
>> >> https://github.com/bachradsusi.gpg
>> >> https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg
>> >>
>> >> Also update the email address
>> >>
>> >> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
>> >> ---
>> >>  SECURITY.md | 3 ++-
>> >>  1 file changed, 2 insertions(+), 1 deletion(-)
>> >>
>> >> diff --git a/SECURITY.md b/SECURITY.md
>> >> index 2a7ce5b317a7..faa060ccff03 100644
>> >> --- a/SECURITY.md
>> >> +++ b/SECURITY.md
>> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
>> >>  the issue before it is made public, but we will make every effort to address
>> >>  the issue as quickly as possible and shorten the disclosure window.
>> >>
>> >> -* Petr Lautrbach, plautrba@redhat.com
>> >> +* Petr Lautrbach, lautrbach@redhat.com
>> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>> >
>> > I think you may want to list the fingerprint of your primary key and
>> > not a subkey, as the primary key is what carries the signatures and
>> > helps verify trust.
>> >
>>
>> I guess I need help then:
>>
>> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
>
> You want to use the key fingerprint which displays when you run 'gpg
> --fingerprint <email>'.  Assuming you have the keys for the other devs
> in your keyring, you'll notice that command can be used to reproduce
> the other fingerprints in the file.
>
> %  gpg --fingerprint plautrba@redhat.com
> pub   rsa4096 2012-04-03 [SC]
>      E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
> uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
> sub   rsa4096 2012-04-03 [E]
> sub   rsa4096 2017-12-05 [S]
> sub   rsa4096 2017-12-05 [A]

I've also changed my email contact address to lautrbach@redhat.com which I
use for some time already:

> From: Petr Lautrbach <lautrbach@redhat.com>

> -* Petr Lautrbach, plautrba@redhat.com
> +* Petr Lautrbach, lautrbach@redhat.com

> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>


$ git log | grep lautrbach@redhat.com | wc -l
175

$ gpg --fingerprint lautrbach@redhat.com
pub   rsa4096/FB4C685B5DC1C13E 2024-11-04 [SC] [expires: 2026-11-04]
      Key fingerprint = 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
      Keygrip = 834230A0854D7A8698B5432C007560FE7AECC504
uid                 [ultimate] Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096/C500C028A770AB66 2024-11-04 [E] [expires: 2026-11-04]
      Key fingerprint = 58E9 06B2 5680 15A7 91C8  D2EC C500 C028 A770 AB66
      Keygrip = 2EF1D48B43E234CAAE155A0AD032C00063FCB102
sub   rsa4096/CDCAE8C927C6BE31 2024-11-04 [S] [expires: 2026-11-04]
      Key fingerprint = 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31
      Keygrip = CAE3E6B80FFD15958C813CC635CFFDF9F86D9C17
sub   rsa4096/37BCD711A64B2890 2024-11-04 [AR] [expires: 2026-11-04]
      Key fingerprint = 832F CF4A 82B0 7F2A 51E4  3DDB 37BC D711 A64B 2890
      Keygrip = 850707DAF56607DEABD28933FD0A77D382923F1C

pub   rsa4096/BC3905F235179CF1 2022-10-26 [SC] [expired: 2024-10-25]
      Key fingerprint = B868 2847 764D F60D F52D  992C BC39 05F2 3517 9CF1
      Keygrip = FA0CE92171EEBAC2DD084E6399F18709A2F7353B
uid                 [ expired] Petr Lautrbach <lautrbach@redhat.com>




> %  gpg --fingerprint paul@paul-moore.com
> pub   rsa4096 2011-10-10 [SC]
>      7100 AADF AE6E 6E94 0D2E  0AD6 55E4 5A5A E8CA 7C8A
> uid           [ultimate] Paul Moore <paul@paul-moore.com>
> uid           [ultimate] Paul Moore <pcmoore@umich.edu>
> sub   rsa4096 2018-10-15 [E]
> sub   rsa4096 2018-10-15 [S]
> sub   rsa4096 2020-06-19 [A]
>
>> >>  * Nicolas Iooss, nicolas.iooss@m4x.org
>> >>    *  (GPG fingerprint) E25E 254C 8EE4 D303 554B  F5AF EC70 1A1D A494 C5EB
>> >>  * Jeffrey Vander Stoep, jeffv@google.com
>> >> --
>> >> 2.52.0
>
> -- 
> paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Thu, Jan 8, 2026 at 3:57 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> > On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >> Paul Moore <paul@paul-moore.com> writes:
> >> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:

...

> >> >> diff --git a/SECURITY.md b/SECURITY.md
> >> >> index 2a7ce5b317a7..faa060ccff03 100644
> >> >> --- a/SECURITY.md
> >> >> +++ b/SECURITY.md
> >> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
> >> >>  the issue before it is made public, but we will make every effort to address
> >> >>  the issue as quickly as possible and shorten the disclosure window.
> >> >>
> >> >> -* Petr Lautrbach, plautrba@redhat.com
> >> >> +* Petr Lautrbach, lautrbach@redhat.com
> >> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
> >> >
> >> > I think you may want to list the fingerprint of your primary key and
> >> > not a subkey, as the primary key is what carries the signatures and
> >> > helps verify trust.
> >> >
> >>
> >> I guess I need help then:
> >>
> >> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
> >
> > You want to use the key fingerprint which displays when you run 'gpg
> > --fingerprint <email>'.  Assuming you have the keys for the other devs
> > in your keyring, you'll notice that command can be used to reproduce
> > the other fingerprints in the file.
> >
> > %  gpg --fingerprint plautrba@redhat.com
> > pub   rsa4096 2012-04-03 [SC]
> >      E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
> > uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
> > sub   rsa4096 2012-04-03 [E]
> > sub   rsa4096 2017-12-05 [S]
> > sub   rsa4096 2017-12-05 [A]
>
> I've also changed my email contact address to lautrbach@redhat.com which I
> use for some time already:
>
> > From: Petr Lautrbach <lautrbach@redhat.com>
>
> > -* Petr Lautrbach, plautrba@redhat.com
> > +* Petr Lautrbach, lautrbach@redhat.com

There are mechanisms to add a new identity to an existing GPG key:

https://docs.github.com/en/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key

--
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Thu, Jan 8, 2026 at 3:57 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> Paul Moore <paul@paul-moore.com> writes:
>> > On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >> Paul Moore <paul@paul-moore.com> writes:
>> >> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> ...
>
>> >> >> diff --git a/SECURITY.md b/SECURITY.md
>> >> >> index 2a7ce5b317a7..faa060ccff03 100644
>> >> >> --- a/SECURITY.md
>> >> >> +++ b/SECURITY.md
>> >> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
>> >> >>  the issue before it is made public, but we will make every effort to address
>> >> >>  the issue as quickly as possible and shorten the disclosure window.
>> >> >>
>> >> >> -* Petr Lautrbach, plautrba@redhat.com
>> >> >> +* Petr Lautrbach, lautrbach@redhat.com
>> >> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>> >> >
>> >> > I think you may want to list the fingerprint of your primary key and
>> >> > not a subkey, as the primary key is what carries the signatures and
>> >> > helps verify trust.
>> >> >
>> >>
>> >> I guess I need help then:
>> >>
>> >> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
>> >
>> > You want to use the key fingerprint which displays when you run 'gpg
>> > --fingerprint <email>'.  Assuming you have the keys for the other devs
>> > in your keyring, you'll notice that command can be used to reproduce
>> > the other fingerprints in the file.
>> >
>> > %  gpg --fingerprint plautrba@redhat.com
>> > pub   rsa4096 2012-04-03 [SC]
>> >      E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
>> > uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
>> > sub   rsa4096 2012-04-03 [E]
>> > sub   rsa4096 2017-12-05 [S]
>> > sub   rsa4096 2017-12-05 [A]
>>
>> I've also changed my email contact address to lautrbach@redhat.com which I
>> use for some time already:
>>
>> > From: Petr Lautrbach <lautrbach@redhat.com>
>>
>> > -* Petr Lautrbach, plautrba@redhat.com
>> > +* Petr Lautrbach, lautrbach@redhat.com
>
> There are mechanisms to add a new identity to an existing GPG key:
>
> https://docs.github.com/en/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key
>


I could add plautrba@redhat.com to lautrbach@redhat.com (68D2 1823 342A
1368 3AEB  3E4E FB4C 685B 5DC1 C13E) but it would not make any
difference for this purpose.

I use lautrbach@redhat.com email and I expect people send me encrypted
emails using 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E key there.

I use lautrbach@redhat.com identity for signing since  SELinux userspace release
3.6 in December 2023.

$ gpg --verify checkpolicy-3.6.tar.gz.asc                    
gpg: assuming signed data in 'checkpolicy-3.6.tar.gz'
gpg: Signature made Wed 13 Dec 2023 03:47:30 PM CET
gpg:                using RSA key 1BE2C0FF08949623102FD2564695881C254508D1
gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: B868 2847 764D F60D F52D  992C BC39 05F2 3517 9CF1
     Subkey fingerprint: 1BE2 C0FF 0894 9623 102F  D256 4695 881C 2545 08D1

$ gpg --verify checkpolicy-3.9.tar.gz.asc
gpg: assuming signed data in 'checkpolicy-3.9.tar.gz'
gpg: Signature made Wed 16 Jul 2025 12:55:48 PM CEST
gpg:                using RSA key 7200EB2C3F5E488463C0CE9ECDCAE8C927C6BE31
gpg: Good signature from "Petr Lautrbach <plautrba@redhat.com>" [ultimate]
gpg:                 aka "Petr Lautrbach <lautrbach@redhat.com>" [ultimate]
Primary key fingerprint: 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
     Subkey fingerprint: 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31



The only copy of private key of E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B982C 4373
was on my yubikey which I destroyed few years ago when I forgot the PIN.

Petr

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Wed, Jan 14, 2026 at 1:28 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> > On Thu, Jan 8, 2026 at 3:57 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >> Paul Moore <paul@paul-moore.com> writes:
> >> > On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >> >> Paul Moore <paul@paul-moore.com> writes:
> >> >> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >
> > ...
> >
> >> >> >> diff --git a/SECURITY.md b/SECURITY.md
> >> >> >> index 2a7ce5b317a7..faa060ccff03 100644
> >> >> >> --- a/SECURITY.md
> >> >> >> +++ b/SECURITY.md
> >> >> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
> >> >> >>  the issue before it is made public, but we will make every effort to address
> >> >> >>  the issue as quickly as possible and shorten the disclosure window.
> >> >> >>
> >> >> >> -* Petr Lautrbach, plautrba@redhat.com
> >> >> >> +* Petr Lautrbach, lautrbach@redhat.com
> >> >> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
> >> >> >
> >> >> > I think you may want to list the fingerprint of your primary key and
> >> >> > not a subkey, as the primary key is what carries the signatures and
> >> >> > helps verify trust.
> >> >> >
> >> >>
> >> >> I guess I need help then:
> >> >>
> >> >> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
> >> >
> >> > You want to use the key fingerprint which displays when you run 'gpg
> >> > --fingerprint <email>'.  Assuming you have the keys for the other devs
> >> > in your keyring, you'll notice that command can be used to reproduce
> >> > the other fingerprints in the file.
> >> >
> >> > %  gpg --fingerprint plautrba@redhat.com
> >> > pub   rsa4096 2012-04-03 [SC]
> >> >      E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
> >> > uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
> >> > sub   rsa4096 2012-04-03 [E]
> >> > sub   rsa4096 2017-12-05 [S]
> >> > sub   rsa4096 2017-12-05 [A]
> >>
> >> I've also changed my email contact address to lautrbach@redhat.com which I
> >> use for some time already:
> >>
> >> > From: Petr Lautrbach <lautrbach@redhat.com>
> >>
> >> > -* Petr Lautrbach, plautrba@redhat.com
> >> > +* Petr Lautrbach, lautrbach@redhat.com
> >
> > There are mechanisms to add a new identity to an existing GPG key:
> >
> > https://docs.github.com/en/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key
>
>
> I could add plautrba@redhat.com to lautrbach@redhat.com (68D2 1823 342A
> 1368 3AEB  3E4E FB4C 685B 5DC1 C13E) but it would not make any
> difference for this purpose.
>
> I use lautrbach@redhat.com email and I expect people send me encrypted
> emails using 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E key there.
>
> I use lautrbach@redhat.com identity for signing since  SELinux userspace release
> 3.6 in December 2023.
>
> $ gpg --verify checkpolicy-3.6.tar.gz.asc
> gpg: assuming signed data in 'checkpolicy-3.6.tar.gz'
> gpg: Signature made Wed 13 Dec 2023 03:47:30 PM CET
> gpg:                using RSA key 1BE2C0FF08949623102FD2564695881C254508D1
> gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [expired]
> gpg: Note: This key has expired!
> Primary key fingerprint: B868 2847 764D F60D F52D  992C BC39 05F2 3517 9CF1
>      Subkey fingerprint: 1BE2 C0FF 0894 9623 102F  D256 4695 881C 2545 08D1
>
> $ gpg --verify checkpolicy-3.9.tar.gz.asc
> gpg: assuming signed data in 'checkpolicy-3.9.tar.gz'
> gpg: Signature made Wed 16 Jul 2025 12:55:48 PM CEST
> gpg:                using RSA key 7200EB2C3F5E488463C0CE9ECDCAE8C927C6BE31
> gpg: Good signature from "Petr Lautrbach <plautrba@redhat.com>" [ultimate]
> gpg:                 aka "Petr Lautrbach <lautrbach@redhat.com>" [ultimate]
> Primary key fingerprint: 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>      Subkey fingerprint: 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31
>
> The only copy of private key of E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B982C 4373
> was on my yubikey which I destroyed few years ago when I forgot the PIN.

First off, if you've lost access to your primary GPG key you likely
want to create a new GPG key and get that signed by other trusted
SELinux developers; I'm sure you remember the process, but we can
discuss more offline if needed.

Beyond that, I think there is a disconnect between the different GPG
key types, signatures, etc. There is a link below which I think may
help explain the differences, but if you are already familiar with GPG
keys and I'm simply misunderstanding things, please feel free to
ignore the link (the post is somewhat lengthy).

https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key

When listing GPG key fingerprints, people list the fingerprint of
their primary key, as that is the key which is signed by others, and
the key used to sign other people's (primary) keys.  This primary key
is then used to sign the subkeys associated with the primary key;
these subkeys are what are typically used for signing, encryption, and
in some cases authentication (ssh, etc.).  For example, if you look at
my entry in the SECURITY.md file you will see a key fingerprint of
7100..., the fingerprint of my primary key, but if you look at the
kernel tag signatures you see that I'm using my signature subkey.

[NOTE: command output trimmed for clarity]

% gpg --fingerprint paul@paul-moore.com
pub   rsa4096 2011-10-10 [SC]
     7100...
uid           [ultimate] Paul Moore <paul@paul-moore.com>
sub   rsa4096 2018-10-15 [E]
sub   rsa4096 2018-10-15 [S]
sub   rsa4096 2020-06-19 [A]
%  git tag --verify selinux-pr-20251201
selinux/stable-6.19 PR 20251201
gpg: Signature made Mon 01 Dec 2025 03:54:57 PM EST
gpg:                using RSA key 4B42...
gpg:                issuer "paul@paul-moore.com"
gpg: Good signature from "Paul Moore <paul@paul-moore.com>" [ultimate]
% gpg --list-key 4B42...
pub   rsa4096 2011-10-10 [SC]
     7100...
uid           [ultimate] Paul Moore <paul@paul-moore.com>
sub   rsa4096 2018-10-15 [E]
sub   rsa4096 2018-10-15 [S]
sub   rsa4096 2020-06-19 [A]

I believe that if you look at the other GPG fingerprints in
SECURITY.md you will see that they are all fingerprints of primary
keys, not subkeys.

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Wed, Jan 14, 2026 at 1:28 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> Paul Moore <paul@paul-moore.com> writes:
>> > On Thu, Jan 8, 2026 at 3:57 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >> Paul Moore <paul@paul-moore.com> writes:
>> >> > On Wed, Jan 7, 2026 at 7:08 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >> >> Paul Moore <paul@paul-moore.com> writes:
>> >> >> > On Mon, Jan 5, 2026 at 12:46 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >
>> > ...
>> >
>> >> >> >> diff --git a/SECURITY.md b/SECURITY.md
>> >> >> >> index 2a7ce5b317a7..faa060ccff03 100644
>> >> >> >> --- a/SECURITY.md
>> >> >> >> +++ b/SECURITY.md
>> >> >> >> @@ -24,7 +24,8 @@ list is below. We typically request at most a 90 day time period to address
>> >> >> >>  the issue before it is made public, but we will make every effort to address
>> >> >> >>  the issue as quickly as possible and shorten the disclosure window.
>> >> >> >>
>> >> >> >> -* Petr Lautrbach, plautrba@redhat.com
>> >> >> >> +* Petr Lautrbach, lautrbach@redhat.com
>> >> >> >> +  *  (GPG fingerprint) 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>> >> >> >
>> >> >> > I think you may want to list the fingerprint of your primary key and
>> >> >> > not a subkey, as the primary key is what carries the signatures and
>> >> >> > helps verify trust.
>> >> >> >
>> >> >>
>> >> >> I guess I need help then:
>> >> >>
>> >> >> $ gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
>> >> >
>> >> > You want to use the key fingerprint which displays when you run 'gpg
>> >> > --fingerprint <email>'.  Assuming you have the keys for the other devs
>> >> > in your keyring, you'll notice that command can be used to reproduce
>> >> > the other fingerprints in the file.
>> >> >
>> >> > %  gpg --fingerprint plautrba@redhat.com
>> >> > pub   rsa4096 2012-04-03 [SC]
>> >> >      E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B 982C 4373
>> >> > uid           [  full  ] Petr Lautrbach <plautrba@redhat.com>
>> >> > sub   rsa4096 2012-04-03 [E]
>> >> > sub   rsa4096 2017-12-05 [S]
>> >> > sub   rsa4096 2017-12-05 [A]
>> >>
>> >> I've also changed my email contact address to lautrbach@redhat.com which I
>> >> use for some time already:
>> >>
>> >> > From: Petr Lautrbach <lautrbach@redhat.com>
>> >>
>> >> > -* Petr Lautrbach, plautrba@redhat.com
>> >> > +* Petr Lautrbach, lautrbach@redhat.com
>> >
>> > There are mechanisms to add a new identity to an existing GPG key:
>> >
>> > https://docs.github.com/en/authentication/managing-commit-signature-verification/associating-an-email-with-your-gpg-key
>>
>>
>> I could add plautrba@redhat.com to lautrbach@redhat.com (68D2 1823 342A
>> 1368 3AEB  3E4E FB4C 685B 5DC1 C13E) but it would not make any
>> difference for this purpose.
>>
>> I use lautrbach@redhat.com email and I expect people send me encrypted
>> emails using 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E key there.
>>
>> I use lautrbach@redhat.com identity for signing since  SELinux userspace release
>> 3.6 in December 2023.
>>
>> $ gpg --verify checkpolicy-3.6.tar.gz.asc
>> gpg: assuming signed data in 'checkpolicy-3.6.tar.gz'
>> gpg: Signature made Wed 13 Dec 2023 03:47:30 PM CET
>> gpg:                using RSA key 1BE2C0FF08949623102FD2564695881C254508D1
>> gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [expired]
>> gpg: Note: This key has expired!
>> Primary key fingerprint: B868 2847 764D F60D F52D  992C BC39 05F2 3517 9CF1
>>      Subkey fingerprint: 1BE2 C0FF 0894 9623 102F  D256 4695 881C 2545 08D1
>>
>> $ gpg --verify checkpolicy-3.9.tar.gz.asc
>> gpg: assuming signed data in 'checkpolicy-3.9.tar.gz'
>> gpg: Signature made Wed 16 Jul 2025 12:55:48 PM CEST
>> gpg:                using RSA key 7200EB2C3F5E488463C0CE9ECDCAE8C927C6BE31
>> gpg: Good signature from "Petr Lautrbach <plautrba@redhat.com>" [ultimate]
>> gpg:                 aka "Petr Lautrbach <lautrbach@redhat.com>" [ultimate]
>> Primary key fingerprint: 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
>>      Subkey fingerprint: 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31
>>
>> The only copy of private key of E853 C184 8B01 85CF 4286  4DF3 63A8 AD4B982C 4373
>> was on my yubikey which I destroyed few years ago when I forgot the PIN.
>
[...]
> Beyond that, I think there is a disconnect between the different GPG
> key types, signatures, etc. There is a link below which I think may
> help explain the differences, but if you are already familiar with GPG
> keys and I'm simply misunderstanding things, please feel free to
> ignore the link (the post is somewhat lengthy).
>
> https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key
>
> When listing GPG key fingerprints, people list the fingerprint of
> their primary key, as that is the key which is signed by others, and
> the key used to sign other people's (primary) keys.  This primary key
> is then used to sign the subkeys associated with the primary key;
> these subkeys are what are typically used for signing, encryption, and
> in some cases authentication (ssh, etc.).  For example, if you look at
> my entry in the SECURITY.md file you will see a key fingerprint of
> 7100..., the fingerprint of my primary key, but if you look at the
> kernel tag signatures you see that I'm using my signature subkey.
>
> [NOTE: command output trimmed for clarity]
>
> % gpg --fingerprint paul@paul-moore.com
> pub   rsa4096 2011-10-10 [SC]
>      7100...
> uid           [ultimate] Paul Moore <paul@paul-moore.com>
> sub   rsa4096 2018-10-15 [E]
> sub   rsa4096 2018-10-15 [S]
> sub   rsa4096 2020-06-19 [A]
> %  git tag --verify selinux-pr-20251201
> selinux/stable-6.19 PR 20251201
> gpg: Signature made Mon 01 Dec 2025 03:54:57 PM EST
> gpg:                using RSA key 4B42...
> gpg:                issuer "paul@paul-moore.com"
> gpg: Good signature from "Paul Moore <paul@paul-moore.com>" [ultimate]
> % gpg --list-key 4B42...
> pub   rsa4096 2011-10-10 [SC]
>      7100...
> uid           [ultimate] Paul Moore <paul@paul-moore.com>
> sub   rsa4096 2018-10-15 [E]
> sub   rsa4096 2018-10-15 [S]
> sub   rsa4096 2020-06-19 [A]
>
> I believe that if you look at the other GPG fingerprints in
> SECURITY.md you will see that they are all fingerprints of primary
> keys, not subkeys.
>

"68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey. 


$ gpg --fingerprint lautrbach@redhat.com
pub   rsa4096/FB4C685B5DC1C13E 2024-11-04 [SC] [expires: 2026-11-04]
      Key fingerprint = 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  

      Keygrip = 834230A0854D7A8698B5432C007560FE7AECC504
uid                 [ultimate] Petr Lautrbach <plautrba@redhat.com>
uid                 [ultimate] Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096/C500C028A770AB66 2024-11-04 [E] [expires: 2026-11-04]
      Key fingerprint = 58E9 06B2 5680 15A7 91C8  D2EC C500 C028 A770 AB66
      Keygrip = 2EF1D48B43E234CAAE155A0AD032C00063FCB102
sub   rsa4096/CDCAE8C927C6BE31 2024-11-04 [S] [expires: 2026-11-04]
      Key fingerprint = 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31
      Keygrip = CAE3E6B80FFD15958C813CC635CFFDF9F86D9C17
sub   rsa4096/37BCD711A64B2890 2024-11-04 [AR] [expires: 2026-11-04]
      Key fingerprint = 832F CF4A 82B0 7F2A 51E4  3DDB 37BC D711 A64B 2890
      Keygrip = 850707DAF56607DEABD28933FD0A77D382923F1C


$ gpg --list-key FB4C685B5DC1C13E
pub   rsa4096/FB4C685B5DC1C13E 2024-11-04 [SC] [expires: 2026-11-04]
      Key fingerprint = 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
      Keygrip = 834230A0854D7A8698B5432C007560FE7AECC504
uid                 [ultimate] Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096/C500C028A770AB66 2024-11-04 [E] [expires: 2026-11-04]
      Keygrip = 2EF1D48B43E234CAAE155A0AD032C00063FCB102
sub   rsa4096/CDCAE8C927C6BE31 2024-11-04 [S] [expires: 2026-11-04]
      Keygrip = CAE3E6B80FFD15958C813CC635CFFDF9F86D9C17
sub   rsa4096/37BCD711A64B2890 2024-11-04 [AR] [expires: 2026-11-04]
      Keygrip = 850707DAF56607DEABD28933FD0A77D382923F1C


$ git tag -s -m "check signature" check

$ git tag --verify check              
object 374ee744d6ed84ee2ca70c90be023290409a8fa4
type commit
tag check
tagger Petr Lautrbach <lautrbach@redhat.com> 1768463780 +0100

check signature
gpg: Signature made Thu 15 Jan 2026 08:56:20 AM CET
gpg:                using RSA key 7200EB2C3F5E488463C0CE9ECDCAE8C927C6BE31
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2026-11-04
gpg: Good signature from "Petr Lautrbach <lautrbach@redhat.com>" [ultimate]
Primary key fingerprint: 68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
     Subkey fingerprint: 7200 EB2C 3F5E 4884 63C0  CE9E CDCA E8C9 27C6 BE31



I've dropped all but the one key from https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg

# curl -O https://plautrba.fedorapeople.org/lautrbach@redhat.com.gpg

# gpg --show-keys --fingerprint lautrbach@redhat.com.gpg
pub   rsa4096 2024-11-04 [SC] [expires: 2026-11-04]
      68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E
uid                      Petr Lautrbach <lautrbach@redhat.com>
sub   rsa4096 2024-11-04 [E] [expires: 2026-11-04]
sub   rsa4096 2024-11-04 [S] [expires: 2026-11-04]
sub   rsa4096 2024-11-04 [AR] [expires: 2026-11-04]

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.

Okay, in this case you need to get this new key signed by other
individuals trusted by the SELinux community before we can consider
including it in the SECURITY.md file.

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>
>> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.
>
> Okay, in this case you need to get this new key signed by other
> individuals trusted by the SELinux community before we can consider
> including it in the SECURITY.md file.
>

My idea was:

Before this patch my address was there without gpg fingerprint. It means
that I could be contacted directly via un-encrypted email.

The key I used in this patch was already used for SELinux userspace
release, public key is available at 2 different locations connected to
me - github (I'm part of SELinux organization) and
plautrba.fedorapeople.org (I'm a packager for 15+ years) and it's also
used in Fedora [1] and RHEL [2] - only Red Hat employees can push there and it
was me who pushed [3]. That being said I expected that the key is
already trusted due to all the records.


But I see your point. I'll send another patch which will remove my address from SECURITY.md
and when the key is signed, I'll return it back.


[1] https://src.fedoraproject.org/rpms/policycoreutils/blob/rawhide/f/bachradsusi.gpg
[2] https://gitlab.com/redhat/centos-stream/rpms/policycoreutils/-/blob/c10s/bachradsusi.gpg?ref_type=heads
[3] https://gitlab.com/redhat/centos-stream/rpms/policycoreutils/-/commit/02af42ef7ea24c279708ea83cc2698b738bdee8c

Petr

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Thu, Jan 15, 2026 at 12:02 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
>
> > On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >>
> >> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.
> >
> > Okay, in this case you need to get this new key signed by other
> > individuals trusted by the SELinux community before we can consider
> > including it in the SECURITY.md file.
> >
>
> My idea was:
>
> Before this patch my address was there without gpg fingerprint. It means
> that I could be contacted directly via un-encrypted email.

Yes.  However, I believe there are usually different levels of trust
associated with plaintext and encrypted email.

> The key I used in this patch was already used for SELinux userspace
> release ...

I think the understanding was that release signing would be done by
individuals with a GPG key signed by others in the SELinux community
to help establish trust.  However, as you pointed out I don't think we
documented that requirement or enforced it properly, we should do so
in the future.

> ... public key is available at 2 different locations connected to
> me - github (I'm part of SELinux organization) and
> plautrba.fedorapeople.org (I'm a packager for 15+ years) and it's also
> used in Fedora [1] and RHEL [2] - only Red Hat employees can push there and it
> was me who pushed [3]. That being said I expected that the key is
> already trusted due to all the records.

While that demonstrates some level of trust between that user/key and
those organizations (GH, Fedora, IBM/RH), it doesn't establish a level
of trust between that user/key and the SELinux community.

> But I see your point. I'll send another patch which will remove my address from SECURITY.md
> and when the key is signed, I'll return it back.

Great, thank you.  If you want to also propose an update to the
release process wiki page describing the signing process and
requirements I think that would be a good thing.

https://github.com/SELinuxProject/selinux/wiki/Release-Process

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Paul Moore]

On Thu, Jan 15, 2026 at 1:30 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Jan 15, 2026 at 12:02 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
> > Paul Moore <paul@paul-moore.com> writes:
> >
> > > On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> > >>
> > >> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.
> > >
> > > Okay, in this case you need to get this new key signed by other
> > > individuals trusted by the SELinux community before we can consider
> > > including it in the SECURITY.md file.
> > >
> >
> > My idea was:
> >
> > Before this patch my address was there without gpg fingerprint. It means
> > that I could be contacted directly via un-encrypted email.
>
> Yes.  However, I believe there are usually different levels of trust
> associated with plaintext and encrypted email.
>
> > The key I used in this patch was already used for SELinux userspace
> > release ...
>
> I think the understanding was that release signing would be done by
> individuals with a GPG key signed by others in the SELinux community
> to help establish trust.  However, as you pointed out I don't think we
> documented that requirement or enforced it properly, we should do so
> in the future.
>
> > ... public key is available at 2 different locations connected to
> > me - github (I'm part of SELinux organization) and
> > plautrba.fedorapeople.org (I'm a packager for 15+ years) and it's also
> > used in Fedora [1] and RHEL [2] - only Red Hat employees can push there and it
> > was me who pushed [3]. That being said I expected that the key is
> > already trusted due to all the records.
>
> While that demonstrates some level of trust between that user/key and
> those organizations (GH, Fedora, IBM/RH), it doesn't establish a level
> of trust between that user/key and the SELinux community.

... and I should say that I have no reason to believe you are not the
Good Petr who is a valued member of the SELinux community, but there
are rumors of an Evil Petr and I just want to make sure we do the
right thing from a community perspective ;)

Apologies for what may seem like excessive pedantry on this.

-- 
paul-moore.com

Re: [PATCH] SECURITY.md: add lautrbach@redhat.com gpg fingerprint

[Petr Lautrbach]

Paul Moore <paul@paul-moore.com> writes:

> On Thu, Jan 15, 2026 at 1:30 PM Paul Moore <paul@paul-moore.com> wrote:
>> On Thu, Jan 15, 2026 at 12:02 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> > Paul Moore <paul@paul-moore.com> writes:
>> >
>> > > On Thu, Jan 15, 2026 at 3:01 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> > >>
>> > >> "68D2 1823 342A 1368 3AEB  3E4E FB4C 685B 5DC1 C13E" is not a subkey.
>> > >
>> > > Okay, in this case you need to get this new key signed by other
>> > > individuals trusted by the SELinux community before we can consider
>> > > including it in the SECURITY.md file.
>> > >
>> >
>> > My idea was:
>> >
>> > Before this patch my address was there without gpg fingerprint. It means
>> > that I could be contacted directly via un-encrypted email.
>>
>> Yes.  However, I believe there are usually different levels of trust
>> associated with plaintext and encrypted email.
>>
>> > The key I used in this patch was already used for SELinux userspace
>> > release ...
>>
>> I think the understanding was that release signing would be done by
>> individuals with a GPG key signed by others in the SELinux community
>> to help establish trust.  However, as you pointed out I don't think we
>> documented that requirement or enforced it properly, we should do so
>> in the future.
>>
>> > ... public key is available at 2 different locations connected to
>> > me - github (I'm part of SELinux organization) and
>> > plautrba.fedorapeople.org (I'm a packager for 15+ years) and it's also
>> > used in Fedora [1] and RHEL [2] - only Red Hat employees can push there and it
>> > was me who pushed [3]. That being said I expected that the key is
>> > already trusted due to all the records.
>>
>> While that demonstrates some level of trust between that user/key and
>> those organizations (GH, Fedora, IBM/RH), it doesn't establish a level
>> of trust between that user/key and the SELinux community.
>
> ... and I should say that I have no reason to believe you are not the
> Good Petr who is a valued member of the SELinux community, but there
> are rumors of an Evil Petr and I just want to make sure we do the
> right thing from a community perspective ;)
>
> Apologies for what may seem like excessive pedantry on this.
>

You should probably consider to remove bachradsusi account from Github
SELinuxProject org and remove them commit rights. They provided
https://github.com/bachradsusi.gpg with public keys they can't confirm
that private keys are really in hands of Petr:

E853C1848B0185CF42864DF363A8AD4B982C4373 - uses SHA1 and private keys
are lost - according to me, so it would be better to contact Petr with
encrypted message and ask him to sign a response. But it could take some
time to get a response for him.

68D21823342A13683AEB3E4EFB4C685B5DC1C13E - not signed by any SELinux
team member.

There's a risk that they'll change released files and files signatures.

Petr