172465 – sign the automated portage snapshot signing key

Bug 172465 - sign the automated portage snapshot signing key

Summary: sign the automated portage snapshot signing key

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Release Team

URL:	http://gentoo.osuosl.org/snapshots/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-03-27 20:42 UTC by Tavis Ormandy (RETIRED)
Modified:	2009-09-02 07:36 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy (RETIRED) gentoo-dev

2007-03-27 20:42:40 UTC

The key used to sign portage snapshots, 0x7DDAD20D, has not been signed by the release engineering team, so its not possible for users to determine if this key belongs to gentoo or not.

If the releng team signs this key with the release key, then users can apply the same amount of trust to this key.

$ gpg --list-sigs 0x7DDAD20D
pub   1024D/0x7DDAD20D 2005-11-23 [expires: 2007-11-23]
uid                    Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sig 3        0x7DDAD20D 2005-11-23  Gentoo Portage Snapshot Signing Key (Automated Signing Key)

Comment 1 Robin Johnson archtester

2009-09-02 07:36:06 UTC

The keys are now explicitly documented here:
http://www.gentoo.org/proj/en/releng/