[Privoxy-devel] GPG signatures

[Roland Rosenfeld]

Hi Lee!

On Tue, 16 Jun 2026, Lee via Privoxy-devel wrote:

> > I have been diligently uploading .asc GPG signatures with each Mac
> > release, signing the uploaded installer binary. The thing is though, how do
> > end users know which GPG key they should expect our releases to be signed
> > by? How does anyone know that Ian Silvester is formally the macOS packager
> > for Privoxy? My point being, if somebody really wanted to corrupt our
> > binaries, they could simply replace the installer and also the .asc file
> > with their own, and nobody would be any the wiser, no? Shouldn't we have a
> > location at privoxy.org that states the correct public keys against which
> > each release should be compared?
> >
> > What do you think?

Sounds like a good idea to me.

> How often would you check that the info on privoxy.org is correct?
> I might the first time it's published but not again until I changed my
> signing key.  ... if then.

Usually I check this on the first download (having privoxy.org
independently from sf.net or what mirror I download privoxy from, is
better than nothing) and store the pubkey in my keyring.
On the next download I check, that the same key was used.

In Debian we have a mechanism for source packages, where the source
Debian package can contain debian/upstream/signing-key.asc.
On updating the Debian source package, the update mechanism
automatically checks the key and verifies, that the new source package
is signed by the same key.
This works at least for source Debian source package while checking
the upstream source.

Okay, I forgot to gpg refresh the key, the current one is expired
2026-02-05 (and the update mechanism doesn't seem to check for expired
keys...).

Greetings
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20260616/9ca0177e/attachment.bin>