[gnutls-devel] GnuTLS | Discussion: tarball signing practice (#1407)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Sep 28 22:51:46 CEST 2022

Adam Sampson commented:

One downside of multiple signatures with the 3.7.8 release: one of the signatures on the tarball is from Alexander Sosedkin, whose key isn't in the [release keyring](https://www.gnutls.org/gnutls-release-keyring.gpg) linked from the download page (and isn't listed on the [maintainers page](https://www.gnutls.org/contrib.html)). So, as a packager, when I import the keyring with GnuPG and then try to verify the tarball's signature, it fails because one of the signatures can't be verified even though the other two are OK. It'd be good to check that the keyring is up to date as part of the release process.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118249186
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220928/829926a9/attachment.html>

More information about the Gnutls-devel mailing list