[Privoxy-devel] GPG signatures
Lee
ler762 at gmail.com
Tue Jun 16 16:15:05 CEST 2026
On Mon, Jun 15, 2026 at 2:45 PM Ian Silvester via Privoxy-devel <
privoxy-devel at lists.privoxy.org> wrote:
> Hi,
>
> I have been diligently uploading .asc GPG signatures with each Mac
> release, signing the uploaded installer binary. The thing is though, how do
> end users know which GPG key they should expect our releases to be signed
> by? How does anyone know that Ian Silvester is formally the macOS packager
> for Privoxy? My point being, if somebody really wanted to corrupt our
> binaries, they could simply replace the installer and also the .asc file
> with their own, and nobody would be any the wiser, no? Shouldn't we have a
> location at privoxy.org that states the correct public keys against which
> each release should be compared?
>
> What do you think?
>
How often would you check that the info on privoxy.org is correct?
I might the first time it's published but not again until I changed my
signing key. ... if then.
It would be nice if you included your public key in the announcement
message of the privoxy macOS release. That seems the easiest way of
letting users know which signing to to expect _and_ you're much more likely
to notice someone claiming to be you announcing a new binary release &
signing key.
Fabian gpg signs his emails - I forget if that is enough to verify his
signing key or not :(
I was sending a message to the developers list whenever I extended or made
a new signing key - eg.
Dec 30, 2018
[Privoxy-devel] Privoxy 3.0.28 has been tagged
The windows version is up on sourceforge
My old gpg key expired; the new one is
Key fingerprint = A64E FD41 6B94 82FD 3734 7AC9 F143 81F4 A112 856D
Lee
More information about the Privoxy-devel
mailing list