[lsb-discuss] Signing packages

Wichmann, Mats D mats.d.wichmann at intel.com
Tue Jun 30 12:06:45 PDT 2009


Till Kamppeter wrote:
> Is this also the way how our LSB packages get signed? How do they
> exactly get signed? Which key do we need to give to the distros then?
> 
>     Till

LSB packages for release get signed using a key that only exists
in a closed environment, that's a process that was hashed out
at some length a year or so ago.  At the moment signing is only done
by Jeff acting in a release manager capacity; there's copy of 
the key secured in some manner as an escrow that I forget the details
of in case Jeff were to all off the face of the earth. The key will
also only be used for a limited period, after which a new one will
be generated. I don't think this key will be shared with anyone...
(snapshot packages, due to their very different nature, follow
an entirely different process, they're signed as part of the
build process and those keys aren't considered particularly secure).

But signing of printer driver packages is an interesting topic
that ought to get some thought - Ted? Jeff? Russ?




More information about the lsb-discuss mailing list