From 40167b055c6f7c2168941524ca6af08674dfbbb7 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 3 Oct 2012 22:00:13 -0400 Subject: [PATCH] Releases signed by Phil's key, not Nigel's. State a more general policy of PGP signing, mention trust paths, cite the main public keyserver pool, provide a link to a trustpath display between Nigel's key and Phil's. Provide Phil's current PGP keyid (noting will change in 2013). Bounce via a redirector, on Phil's security site, because: (1) xfpt barfs on &url(..) where the URL contains an ampersand (2) No ampersands means less debugging across various platforms (3) The redirector is https: with a public cert, where www.exim.org does not have a cert (with that name, at this time). All keys cited in 0xLong form (16 hex characters). Nits: (1) URL is given with https:// on one line, the rest on the next (2) using alt text does not give the URL in the .txt format, despite the docs, because we build .txt from w3m -dump, so the HTML form is used. (3) Ideally, we'll get around to having https://www.exim.org/ exist and be usable for this redirect. Side-effects: (1) My name is in The Spec for the first time. :) --- doc/doc-docbook/spec.xfpt | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index cd39b9206..d35c305c8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -533,10 +533,23 @@ The &_.bz2_& file is usually a lot smaller than the &_.gz_& file. .cindex "distribution" "signing details" .cindex "distribution" "public key" .cindex "public key for signed distribution" -The distributions are currently signed with Nigel Metheringham's GPG key. The -corresponding public key is available from a number of keyservers, and there is -also a copy in the file &_nigel-pubkey.asc_&. The signatures for the tar bundles are -in: +.new +The distributions will be PGP signed by an individual key of the Release +Coordinator. This key will have a uid containing an email address in the +&'exim.org'& domain and will have signatures from other people, including +other Exim maintainers. We expect that the key will be in the "strong set" of +PGP keys. There should be a trust path to that key from Nigel Metheringham's +PGP key, a version of which can be found in the release directory in the file +&_nigel-pubkey.asc_&. All keys used will be available in public keyserver pools, +such as &'pool.sks-keyservers.net'&. + +At time of last update, releases were being made by Phil Pennock and signed with +key &'0x403043153903637F'&, although that key is expected to be replaced in 2013. +A trust path from Nigel's key to Phil's can be observed at +&url(https://www.security.spodhuis.org/exim-trustpath). +.wen + +The signatures for the tar bundles are in: .display &_exim-n.nn.tar.gz.asc_& &_exim-n.nn.tar.bz2.asc_& -- 2.30.2