Document and/or decide on the Replicant project signing and encryption key usage and policies
Updated by Denis 'GNUtoo' Carikli 11 months ago
- Subject changed from Document and/or decide on the Replicant project gpg key usage and policies to Document and/or decide on the Replicant project signing and encryption key usage and policies
Replicant mainly uses gpg for signing the releases.
The gpg key is also setup for the contact address, but it's use is highly discouraged as not everyone has access to that key.
Some people already used that gpg (public) key to send encrypted logs with potentially privacy sensitive information in bugreports, but as not everyone has access to that key currently only developers not participating anymore in Replicant can read such logs.
See the following for some examples of gpg usage:
- Keys are used by the recovery to verify the installation zip.
- Keys are also used to sign apk within the Replicant image.
- Keys might also be used for generating OTA upgrades, but that is currently unused by Replicant.
Updated by Denis 'GNUtoo' Carikli 4 months ago
- Status changed from New to Resolved
- Resolution set to fixed
Updated by Kurtis Hanna 4 months ago
- % Done changed from 0 to 100
We should create a new issue, if it isn't created already, related to using a keyring with the public key of several Replicant developers, like it is done in Parabola with the parabola-keyring package, as is discussed at the link GNUtoo provided above.