[Privoxy-devel] GPG signatures
Ian Silvester
iansilvester at fastmail.fm
Sat Jun 20 21:27:19 CEST 2026
On Thu, 18 Jun 2026, at 03:11, Fabian Keil via Privoxy-devel wrote:
> Roland Rosenfeld via Privoxy-devel <privoxy-devel at lists.privoxy.org>
> wrote on 2026-06-16 at 17:55:11:
>
>> On Tue, 16 Jun 2026, Lee via Privoxy-devel wrote:
>>
>> > > I have been diligently uploading .asc GPG signatures with each Mac
>> > > release, signing the uploaded installer binary. The thing is though, how do
>> > > end users know which GPG key they should expect our releases to be signed
>> > > by? How does anyone know that Ian Silvester is formally the macOS packager
>> > > for Privoxy? My point being, if somebody really wanted to corrupt our
>> > > binaries, they could simply replace the installer and also the .asc file
>> > > with their own, and nobody would be any the wiser, no? Shouldn't we have a
>> > > location at privoxy.org that states the correct public keys against which
>> > > each release should be compared?
>> > >
>> > > What do you think?
>>
>> Sounds like a good idea to me.
>
> While I suspect that most users don't check the OpenPGP signatures
> at all I agree that documenting the keys somewhere on privoxy.org
> would be an improvement.
Another option that strikes me is to update PACKAGERS to be current, and include the public keys in there?
Ian
>
> Fabian
>
> _______________________________________________
> Privoxy-devel mailing list
> Privoxy-devel at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-devel
More information about the Privoxy-devel
mailing list