Quote:
Originally Posted by eschwartz
Quick question though, DiapDealer -- do you publish your key anywhere other than in that signature file? It would be nice if, for example, you could cross-post the fingerprint to the official Sigil blog, and to your release announcement here (making three independently operated sites that would have to be hacked in order to pull off a forgery). An integral part of having the signature so that it can be verified tamper-free, is being able to check that any hypothetical attacker did not just upload their own faked key at the same time as the source code itself.
|
My key should be available from any of the main public key-servers. The ID for my key is provided as part of the "Verified" tag on Github (clicking the Verified link will show the ID). I can post it in an additional place if you like. But three places seems like overkill to me.