digitalmars.D.bugs - [Issue 24322] New: The keys actually used to sign the downloads are
- d-bugmail puremagic.com (24/24) Jan 07 https://issues.dlang.org/show_bug.cgi?id=24322
https://issues.dlang.org/show_bug.cgi?id=24322 Issue ID: 24322 Summary: The keys actually used to sign the downloads are missing from gpg_keys.html Product: D Version: D2 Hardware: x86 OS: Windows Status: NEW Severity: normal Priority: P1 Component: dlang.org Assignee: nobody puremagic.com Reporter: forestix nom.one https://dlang.org/gpg_keys.html lists a bunch of gpg key fingerprints, but none of them match the signatures offered on download.html. Closer inspection reveals that the signatures were made by subkeys, and since gpg_keys.html omits the subkey fingerprints, it cannot be used to check that the signatures are good. In other words, gpg_keys.html is currently useless, and can even lead someone to think the downloads might have been tampered with. Suggestion: Regenerate gpg_keys.html using the output of gpg --list-keys --with-subkey-fingerprint --
Jan 07