Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
[ade]

That's a wrap! installer version 3.3.14 out today.

Public
[ade]

Out of curiosity, I checked the GPG signature of this release. It's ok -- I post a sha256 and the signing-key with every release, so that people can verify. And then I checked the previous release and 3.3.12 and .. turns out I had posted the wrong signing key as part of the release announcement.

So those releases *are* signed, and they're good, but the release announcement mentions a different key.

Public
[ade]

Using only the first four digits of the key fingerprint (because I don't rotate signing keys **that** often):
- 3.3.9 says 4947 on the release page, is signed by 4947
- 3.3.10 says 4947, it is actually 6D98
- 3.3.11 says 4947, is signed by 4947
- 3.3.12 says 4947, it is actually 6D98
- 3.3.13 says 4947, it is actually 6D98
- 3.3.14 says 6D98, is signed by 6D98

Again, there is nothing wrong except the release announcement says a different signing key than actually used.

[ade]

There are two things we can learn from this:
- I need to be more careful when writing release announcements
- Nobody actually checks GPG signatures of source-code tarballs

And I'll repeat for a third time: each release was signed by a (at the time) valid key of mine. The releases are all ok. Only the posted release announcements sometimes mention the wrong signing key (but still a signing key used by me).

Feb 20, 2025, 08:41 PM·Public·Tokodon
0boosts·0favorites
ExploreLive feeds
About