Gentoo Archives: gentoo-commits

From: "Robin H. Johnson (robbat2)" <robbat2@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/releng: index.xml
Date: Tue, 01 Sep 2009 22:26:43
robbat2     09/09/02 03:35:26

  Modified:             index.xml
  Document releng usage of PGP keys.

Revision  Changes    Path
1.118                xml/htdocs/proj/en/releng/index.xml

file :
diff :

Index: index.xml
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/releng/index.xml,v
retrieving revision 1.117
retrieving revision 1.118
diff -p -w -b -B -u -u -r1.117 -r1.118
--- index.xml	24 Sep 2008 17:47:21 -0000	1.117
+++ index.xml	2 Sep 2009 03:35:25 -0000	1.118
@@ -68,6 +68,83 @@ machines page</uri>.
+<title>Release security &amp; signing</title>
+All release media will have its DIGESTS file signed by one of the <c>Gentoo Linux
+Release	Engineering (releng@g.o)</c> PGP keys listed on this page.
+The keys are available through the <c></c> keyserver. They can
+be used to verify that the media is, in fact, the media shipped by Release
+Engineering and not from a potential attacker. You will find more detailed
+verification instructions in the handbooks for each release.
+New keys and changes to existing keys will be announced to the following
+Gentoo mailing lists: gentoo-dev-announce, gentoo-announce, gentoo-core.
+Releases up to and including 2007.0 had PGP signatures directly on top of the
+files. This required large quantities of disk IO for generation on the servers,
+and validation on the client side. As such, as of the 2008.0 release, the
+DIGESTS file is now signed instead, making verification a two-step process, but
+overall much quicker.
+<pre caption="Obtaining the public key">
+$ <i>gpg --keyserver --recv-keys &lt;key id&gt;</i>
+<pre caption="Verify the cryptographic signature">
+$ <i>gpg --verify &lt;foo.DIGESTS.asc&gt; &lt;foo.DIGESTS&gt;</i>
+<pre caption="Verify the checksum">
+$ <i>sha1sum -c &lt;foo.DIGESTS&gt;</i>
+<th>Key ID</th>
+<th>Key Type</th>
+<th>Key Fingerprint</th>
+<th>Key Description</th>
+<ti>1024-bit DSA</ti>
+<ti>AE54 54F9 67B5 6AB0 9AE1  6064 0838 C26E 239C 75C4</ti>
+<ti>Gentoo Portage Snapshot Signing Key (Automated Signing Key)</ti>
+<ti>Used for daily Portage snapshots.</ti>
+<ti>1024-bit DSA</ti>
+<ti>D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058</ti>
+<ti>Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)</ti>
+<ti>Used for releases 2004.2-2008.0</ti>
+<ti>4096-bit RSA</ti>
+<ti>13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910</ti>
+<ti>Gentoo Linux Release Engineering (Automated Weekly Release Key)</ti>
+<ti>Used for automated weekly releases.</ti>
 <title>Latest release</title>