Bug 212027

Summary: [WPE][GTK] Use project-wide GPG key to sign releases, and upload it in binary format on webkitgtk.org/wpewebkit.org
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bugs-noreply, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

Description Michael Catanzaro 2020-05-18 08:18:21 PDT 
Currently releases are signed with Carlos's (or Adrian's) personal GPG key. Carlos's key also uses weak signing algorithms, which isn't great. Ideally we would refresh this with a WebKitGTK project key (and WPE WebKit project key, which might be the same).

Fedora packaging guidelines https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification require that the GPG key is uploaded in binary format (not PEM) to some website, so I've been using people.gnome.org to host Carlos's key. Ideally, the project key would be hosted on webkitgtk.org/wpewebkit.org. This is what I  have currently in our RPM spec:

# Created from http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xF3D322D0EC4582C3
Source2:        https://people.gnome.org/~mcatanzaro/gpg-key-D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3.gpg
Comment 1 Michael Catanzaro 2020-05-18 08:21:46 PDT 
(In reply to Michael Catanzaro from comment #0)
> Fedora packaging guidelines
> https://docs.fedoraproject.org/en-US/packaging-guidelines/
> #_source_file_verification require that the GPG key is uploaded in binary
> format (not PEM) to some website

Well, it's actually not just a key, it's a GPG keyring containing a single key. I guess a project keyring containing multiple individual keys would work as well.