Gentoo Archives: gentoo-dev-announce

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev-announce <gentoo-dev-announce@l.g.o>
Cc: gentoo-dev <gentoo-dev@l.g.o>
Subject: [gentoo-dev-announce] Gentoo sync mirror commits are now OpenPGP-signed
Date: Sat, 27 Jan 2018 18:55:23
Hi, everyone.

Just a quick announcement: I have enabled experimental signatures
on gentoo-mirror commits for gentoo.git. The server now verifies
developer signatures from gentoo.git (using fingerprints from LDAP)
and if everything looks fine pushes a signed mirror commit.

$ git log --show-signature -1 | cat
commit ec25012d1f9e8c795d8822810970127b13adf2c1
gpg: Signature made Sat Jan 27 14:48:54 2018 CET
gpg:                using RSA key F265B6A01DEF32748C6184C79FA394EB86CB7342
gpg: Good signature from "Repository Mirror & CI project (automated signing key) <repo-qa-checks@g.o>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5DF ACC4 F05D 47E4 383C  E4C2 403B C085 18DA F97B
     Subkey fingerprint: F265 B6A0 1DEF 3274 8C61  84C7 9FA3 94EB 86CB 7342
Author: Repository QA checks <repo-qa-checks@g.o>
Date:   Sat Jan 27 14:48:54 2018

    2018-01-27 13:48:53 UTC

The appropriate public key has been pushed to SKS keyservers.
The current fingerprints can be found on the project page [1]. I will
work on Portage integration later on.


Best regards,
Michał Górny