I understand the request. The new key is signed with the old key already. > On Apr 14, 2021, at 9:42 AM, Andrew C Aitchison <cla...@aitchison.me.uk> > wrote: > > > Joel, > > You can add a direct link to the PGP key now as this is completely independant > of the released packages. > > Better yet would be to > 1) Sign the new key with the old one (which doesn't actually expire until > Monday) > 2) Get other (public domain) software people to sign your key. > This assumes that you can get the key to them and the signature back > in a way that satisfies both of you that they really came from the person > they claim to be ... > > 3) Put the key (presumably with the signatures above) > on some of the public keyservers, eg > https://pgp.mit.edu/ > https://keyserver.ubuntu.com/ > > If a software package is signed With an unsigned key and the key and > the package are put on the same webserver there is no advantage to users > over just giving an MD5 or SHA checksum - we have no way of measuring > the trust in the key. > By getting other know parties (including the old key's owner) > to sign the new key, we have some idea that the new key can be trusted > and was not put up by a malicous webmaster - possibly of a spoof website. > > Thanks, > > On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote: > >> Weâll look into that for a future update. >> >> Sent from my iPhone >> >>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users >>> <clamav-users@lists.clamav.net> wrote: >>> >>> Citeren "Joel Esler (jesler) via clamav-users" >>> <clamav-users@lists.clamav.net>: >>> >>>> Itâs available on the webpage. >>> >>> I already wrote that I know it is available from the website. I need to >>> update the stored keyring in openSUSE Factory, which needs a backlink to >>> the origin. Rather than downloading https://www.clamav.net/downloads and >>> trimming the HTML code, a straight download link for the keyfile would make >>> it easier to verify it. >>> >>>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users >>>>>> <clamav-users@lists.clamav.net> wrote: >>>>> >>>>> Citeren "Joel Esler (jesler) via clamav-users" >>>>> <clamav-users@lists.clamav.net>: >>>>> >>>>> It seems the package is now signed with a different PGP key. Is there a >>>>> location from where I can directly download the public key, rather than >>>>> copying it from the webpage? >>>>> >>>>> Best regards, Arjen > > -- > Andrew C. Aitchison Kendal, UK > and...@aitchison.me.uk
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
