Project

General

Profile

Feature #1935

Document and/or decide on the Replicant project signing and encryption key usage and policies

Added by Denis 'GNUtoo' Carikli 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Website and wiki content
Target version:
Start date:
05/13/2019
Due date:
% Done:

0%

Resolution:
Device:

History

#1 Updated by Denis 'GNUtoo' Carikli 2 months ago

  • Subject changed from Document and/or decide on the Replicant project gpg key usage and policies to Document and/or decide on the Replicant project signing and encryption key usage and policies

Replicant mainly uses gpg for signing the releases.

The gpg key is also setup for the contact address, but it's use is highly discouraged as not everyone has access to that key.

Some people already used that gpg (public) key to send encrypted logs with potentially privacy sensitive information in bugreports, but as not everyone has access to that key currently only developers not participating anymore in Replicant can read such logs.

See the following for some examples of gpg usage:
https://tails.boum.org/doc/about/openpgp_keys/index.en.html

Building Replicant also generates some TLS signing keys to sign the images:
  • Keys are used by the recovery to verify the installation zip.
  • Keys are also used to sign apk within the Replicant image.
  • Keys might also be used for generating OTA upgrades, but that is currently unused by Replicant.

#2 Updated by Denis 'GNUtoo' Carikli about 2 months ago

  • Category set to Website and wiki content

Also available in: Atom PDF