[Privoxy-devel] GPG signatures
Fabian Keil
fk at fabiankeil.de
Thu Jun 18 09:11:51 CEST 2026
Roland Rosenfeld via Privoxy-devel <privoxy-devel at lists.privoxy.org> wrote on 2026-06-16 at 17:55:11:
> On Tue, 16 Jun 2026, Lee via Privoxy-devel wrote:
>
> > > I have been diligently uploading .asc GPG signatures with each Mac
> > > release, signing the uploaded installer binary. The thing is though, how do
> > > end users know which GPG key they should expect our releases to be signed
> > > by? How does anyone know that Ian Silvester is formally the macOS packager
> > > for Privoxy? My point being, if somebody really wanted to corrupt our
> > > binaries, they could simply replace the installer and also the .asc file
> > > with their own, and nobody would be any the wiser, no? Shouldn't we have a
> > > location at privoxy.org that states the correct public keys against which
> > > each release should be compared?
> > >
> > > What do you think?
>
> Sounds like a good idea to me.
While I suspect that most users don't check the OpenPGP signatures
at all I agree that documenting the keys somewhere on privoxy.org
would be an improvement.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20260618/9526df95/attachment.bin>
More information about the Privoxy-devel
mailing list