GPG Key

Various files have Gnu PG ASCII armoured signatures from me as end-to-end verifications. My current 4096R key is F8D0B4E7 D2D21191

Previous 1024D key 2C530221 5F6ADD3A was key.gpg (binary), key.gpg.asc (ASCII), and the same at GNU savannah or keyserver like at pgp.mit.edu. The new is signed by the old, so trust should go transitively.

All .asc signatures are from the new key (its subkey). The Perl dists containing SIGNATURE files are either old or new, according to when released. Is it worth new dist releases for new key? cpansign defaults to SHA-1 so maybe bigger key doesn't gain much unless directed to SHA256 and in which case users verifying would need Digest::SHA256 installed.

Of course there's limited point giving key finding instructions here. Unless you get it or verify by an independent channel then it's not much better than a checksum.

All of tuxfamily can be reached by either http or https. Links here to the download area are mostly https in the interests of maintaining privacy and security, especially when getting software. The HTTPS SSL certificate is from tuxfamily.


This page Copyright 2014, 2015, 2016, 2017 Kevin Ryde.