Menu
Search

Forums

Forum Index

January 07, 2024
Gravatar of forestix@nom.onePosted by forestix@nom.oneReply
forestix@nom.one
Gravatar of forestix@nom.one


Reply
https://issues.dlang.org/show_bug.cgi?id=24322

          Issue ID: 24322
           Summary: The keys actually used to sign the downloads are
                    missing from gpg_keys.html
           Product: D
           Version: D2
          Hardware: x86
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dlang.org
          Assignee: nobody@puremagic.com
          Reporter: forestix@nom.one

https://dlang.org/gpg_keys.html lists a bunch of gpg key fingerprints, but none of them match the signatures offered on download.html.

Closer inspection reveals that the signatures were made by subkeys, and since gpg_keys.html omits the subkey fingerprints, it cannot be used to check that the signatures are good. In other words, gpg_keys.html is currently useless, and can even lead someone to think the downloads might have been tampered with.

Suggestion:

Regenerate gpg_keys.html using the output of gpg --list-keys --with-subkey-fingerprint

--