Looks like openssl tar balls are signed with a different PGP key for
each source tar ball.
For example, openssl-0.9.7b.tar.gz was signed using a key with key id
E06D2CB1 and openssl-0.9.7c.tar.gz was signed with key id 49A563D9.
My question is why not sign the released tar ball using the shared
OpenSSL Team Security Key instead of a developer's key? Or should the
user import all developers PGP key to make the integrity check work?
I use openssl in my daily job and really love it's power. However, if
all the newly released tar ball can be signed with the same shared team
PGP key, it will be easier for the user to do the integrity check.
Thanks,
Jin
