Just a general question: why offer a GPG key for download on the same site as th... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

comex on July 8, 2012 | parent | context | favorite | on: Tarsnap now available to residents of Canada

Just a general question: why offer a GPG key for download on the same site as the file to be verified? (If you expect users to download the key once and then verify multiple releases with it, why rotate the key every year?)

cperciva on July 8, 2012 [–]

If I did it right, the code signing GPG key is signed by my personal GPG key, which is signed by the FreeBSD Security Officer GPG key, which is signed by lots and lots of people. So there's a chain of trust.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact