We used to have public keys listed on the SecurityProcess page back
when it was still part of the wiki, but they are no longer available
there and some users have asked where to obtain them so they can verify
the tarball signatures.
That was probably not a great place for them anyway, so address this by
adding the public signing key directly to the download page.
Since a compromised tarball has a high likelyhood of coinciding with a
compromised host (in general at least), also include some information
so they can verify the correct signing key via stable tree git tags if
desired.
Reported-by: Stefan Hajnoczi <stefa...@redhat.com>
Signed-off-by: Michael Roth <michael.r...@amd.com>
---
_download/source.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/_download/source.html b/_download/source.html
index 8671f4e..c0a55ac 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -23,6 +23,7 @@ make
</pre>
{% endfor %}
+ <p>Source tarballs on this site are generated and signed by the package
maintainer using the public key <a
href="https://keys.openpgp.org/vks/v1/by-fingerprint/CEACC9E15534EBABB82D3FA03353C9CEF108B584";>F108B584</a>.
This key is also used to tag the QEMU stable releases in the official QEMU
gitlab mirror, and so can be verified through git as well if there are concerns
about the authenticity of this information.</p>
<p>To download and build QEMU from git:</p>
<pre>git clone https://gitlab.com/qemu-project/qemu.git
cd qemu
--
2.25.1
