web/html/About/security index.php,1.1,1.2

Karsten Wade (kwade) fedora-websites-list at redhat.com
Thu Jan 4 23:39:48 UTC 2007 

Author: kwade

Update of /cvs/fedora/web/html/About/security
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5687

Modified Files:
	index.php 
Log Message:
updating at mark cox's request to match the current redhat.com/security page


Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/About/security/index.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.php	29 Nov 2005 17:32:24 -0000	1.1
+++ index.php	4 Jan 2007 23:39:46 -0000	1.2
@@ -7,91 +7,52 @@
 
 ?>
 
-<h1>GPG Keys</h1>
+<h1>RPM Package Signing</h1>
 
-<p>Fedora uses a number of GNU Privacy Guard (GPG)
-keys to communicate securely. This document is designed to tell you
-which keys we use for which purposes and how to verify those keys.</p>
+<p>Fedora uses a number of GNU Privacy Guard (GPG) keys to sign our software
+packages.  The necessary public keys are included in relevant products and are
+used automatically to verify software updates.  You can also check the packages
+manually using the keys on this page.</p>
 
-<p>It is a good security practice to validate public keys that you receive and
-to only trust validated keys. Therefore before trusting Red Hat public keys
-you should attempt to validate the fingerprints from a number of sources,
-and not rely solely on this page as being authentic.</p>
-
-<p>Public key validation, verification, and trust models are complicated
-subjects. For further details consult the GPG documentation.</p>
-
-<p>To verify an RPM package, run the command:</p>
+<p>To verify a RPM package for a Fedora product, run the command</p>
 
 <code class="screen">
 rpm --checksig -v <filename>.rpm
 </code>
 
-<p>The output of this command will show you if the package is signed
-and who signed it.</p>
+<p>The output of this command shows if the package is signed
+and which key was used to sign it.</p>
 
-<h2>Package Signing</h2>
+<p>Please do not send messages encrypted with these public 
+keys.</p>
 
-<p>Software packages distributed as part of the <? print $THE_PROJECT_NAME; ?> 
-are signed with the fedora at redhat.com public key.</p>
+<h2>Release Package Signing</h2>
 
-<p><? print $THE_PROJECT_NAME; ?> fedora at redhat.com public key is available
-from a number of places:</p>
-
-<ul>
-  <li>From <A HREF="4F2A6FD2.txt">our website</A></li>
-  <li>In a <? print $RELEASE_NAME; ?> distribution, in the file <code class="filename">/usr/share/rhn/RPM-GPG-KEY-fedora</code>
-  <li>On a public keyserver, such as
-    <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x4f2a6fd2&op=index">pgp.mit.edu</A></li>
-</ul>
-
-<p>The fingerprint of the fedora at redhat.com key is:</p>
-<pre>
-CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
-</pre>
-
-<h2>Test Package Signing</h2>
-
-<p>From time to time, <? print $THE_PROJECT_NAME; ?> makes test software
-available. This software may be signed using the <? print $PROJECT_NAME; ?> 
-test software key, id 0x30C9ECF8.</p>
-
-<p><? print $THE_PROJECT_NAME; ?> test software public key is available
-from the following locations:</p>
-
-<ul>
-  <li>From <A HREF="30C9ECF8.txt">our website</A></li>
-  <li>In a <? print $RELEASE_NAME; ?> distribution, in the file <code class="filename">/usr/share/rhn/RPM-GPG-KEY-fedora-test</code>
-  <li>On a public keyserver, such as
-    <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x30c9ecf8&op=index">pgp.mit.edu</A></li>
-</ul>
-
-<p>The fingerprint of the <? print $PROJECT_NAME; ?> test software key is:</p>
-<pre>
-3166 C14A AE72 30D9 3B7A  B2F6 DA84 CBD4 30C9 ECF8
-</pre>
-
-<h2>Automated Package Signing</h2>
-
-<p>From time to time, <? print $THE_PROJECT_NAME; ?> makes development software
-available. This software may be signed by an automated build signing key.
-Because this key is used automatically, we expect to change the key we sign
-with from time to time.</p>
-
-<p>The current <? print $PROJECT_NAME; ?> automated build signing public
-key, has key id 0x1CDDBCA9 and is available from a number of places:</p>
-
-<ul>
-  <li>From <A HREF="1CDDBCA9.txt">our website</A></li>
-  <li>On a public keyserver, such as
-    <A HREF="http://pgp.mit.edu:11371/pks/lookup?search=0x1cddbca9&op=index">pgp.mit.edu</A></li>
-</ul>
-
-<p>The fingerprint of the <? print $PROJECT_NAME; ?> automated
-build signing key is:</p>
-<pre>
-2312 6DEE 2014 B8A7 6CD6  D32C E138 5D4E 1CDD BCA9
-</pre>
+<h3>4F2A6FD2: Fedora Project <fedora at redhat.com></h3>
+<br />
+<p>
+This key is used for signing all Fedora Core releases and updates.
+</p>
+<p>
+<strong>Location:</strong> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora<br />
+<strong>Download:</strong> <a href="4F2A6FD2.txt">Our website</a><br />
+<strong>Download:</strong> <a
+href="http://pgp.mit.edu:11371/pks/lookup?search=0x4F2A6FD2&op=index">pgp.mit.edu</a><br/>
+<strong>Fingerprint:</strong> CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2
+</p>
+
+<h3>Test Package Signing</h3>
+
+<h2>30C9ECF8: Fedora Project (Test Software) <rawhide at redhat.com></h2>
+<br />
+This key is used for signing Fedora test software such as beta releases.
+<p>
+<strong>Location:</strong> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test<br />
+<strong>Download:</strong> <a href="30C9ECF8.txt">Red Hat</a><br />
+<strong>Download:</strong> <a
+href="http://pgp.mit.edu:11371/pks/lookup?search=0x30C9ECF8&op=index">pgp.mit.edu</a><br/>
+<strong>Fingerprint:</strong> 3166 C14A AE72 30D9 3B7A B2F6 DA84 CBD4 30C9 ECF8
+</p>
 
 <?

More information about the Fedora-websites-list mailing list