On Wed, 18 Feb 2015 11:52, js-gnupg-us...@webkeks.org said:

> I do verify the fingerprint, and they are quite easy to find actually:
>
> https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/
>
> First Google match for "GitHub SSH fingerprint".

Using a search engine to find important information is not very user
friendly.  The host keys should be linked from the root page.  But in
this regard this is not different than any root CA - most make it really
hard to find the fingerprint and the support lines sometimes don't even
known why one what to check this.

> Makefile / PKGBUILD / however it is called that is then verified. So I
> guess you can't easily map that to "Only x% of users check the
> downloaded tarball". I guess it's a lot more, it's just not all check
> it using the .sig.

Sure I can.  If there are 1000 downloads of the tarball and only 100 of
the corresponding sig it should be pretty clear that 90% of those who
download not even pretend to check the signature.

> git commit -S <keyID>
>
> You can just create an alias for that, I for example use git ci.

I know that but I would like to have a different key for tag and commit.
Requiring an option is just too cumbersome.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to