• d-bugmail puremagic.com (24/24) Jan 07 https://issues.dlang.org/show_bug.cgi?id=24322

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=24322

          Issue ID: 24322
           Summary: The keys actually used to sign the downloads are
                    missing from gpg_keys.html
           Product: D
           Version: D2
          Hardware: x86
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dlang.org
          Assignee: nobody puremagic.com
          Reporter: forestix nom.one

https://dlang.org/gpg_keys.html lists a bunch of gpg key fingerprints, but none
of them match the signatures offered on download.html.

Closer inspection reveals that the signatures were made by subkeys, and since
gpg_keys.html omits the subkey fingerprints, it cannot be used to check that
the signatures are good. In other words, gpg_keys.html is currently useless,
and can even lead someone to think the downloads might have been tampered with.

Suggestion:

Regenerate gpg_keys.html using the output of gpg --list-keys
--with-subkey-fingerprint

--