MobileRead Forums - View Single Post - Sigil-0.9.9 Released

eschwartz · 01-08-2018, 07:00 AM

So, finally got around to dealing with this new Sigil version, as I am now the official (co-)maintainer of the Arch Linux package.

And I see it has PGP signatures for the source code tarballs, as you promised when I requested it.

Quick question though, DiapDealer -- do you publish your key anywhere other than in that signature file? It would be nice if, for example, you could cross-post the fingerprint to the official Sigil blog, and to your release announcement here (making three independently operated sites that would have to be hacked in order to pull off a forgery). An integral part of having the signature so that it can be verified tamper-free, is being able to check that any hypothetical attacker did not just upload their own faked key at the same time as the source code itself.

01-08-2018, 07:00 AM	#33
eschwartz Ex-Helpdesk Junkie Posts: 19,422 Karma: 85397180 Join Date: Nov 2012 Location: The Beaten Path, USA, Roundworld, This Side of Infinity Device: Kindle Touch fw5.3.7 (Wifi only)	So, finally got around to dealing with this new Sigil version, as I am now the official (co-)maintainer of the Arch Linux package. And I see it has PGP signatures for the source code tarballs, as you promised when I requested it. Quick question though, DiapDealer -- do you publish your key anywhere other than in that signature file? It would be nice if, for example, you could cross-post the fingerprint to the official Sigil blog, and to your release announcement here (making three independently operated sites that would have to be hacked in order to pull off a forgery). An integral part of having the signature so that it can be verified tamper-free, is being able to check that any hypothetical attacker did not just upload their own faked key at the same time as the source code itself.