fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

That's a wrap! installer version 3.3.14 out today.

Out of curiosity, I checked the GPG signature of this release. It's ok -- I post a sha256 and the signing-key with every release, so that people can verify. And then I checked the previous release and 3.3.12 and .. turns out I had posted the wrong signing key as part of the release announcement.

So those releases *are* signed, and they're good, but the release announcement mentions a different key.

Using only the first four digits of the key fingerprint (because I don't rotate signing keys **that** often):
- 3.3.9 says 4947 on the release page, is signed by 4947
- 3.3.10 says 4947, it is actually 6D98
- 3.3.11 says 4947, is signed by 4947
- 3.3.12 says 4947, it is actually 6D98
- 3.3.13 says 4947, it is actually 6D98
- 3.3.14 says 6D98, is signed by 6D98

Again, there is nothing wrong except the release announcement says a different signing key than actually used.

[ade]

There are two things we can learn from this:
- I need to be more careful when writing release announcements
- Nobody actually checks GPG signatures of source-code tarballs

And I'll repeat for a third time: each release was signed by a (at the time) valid key of mine. The releases are all ok. Only the posted release announcements sometimes mention the wrong signing key (but still a signing key used by me).