From bb5c9cbad00974058a1d3660c5c96d40a0b68bdc Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 01:13:23 -0600 Subject: [PATCH 1/3] fix signing key links in README --- README.md | 12 ++++++------ dist/{signingkey.asc => signingkey-old.asc} | 0 2 files changed, 6 insertions(+), 6 deletions(-) rename dist/{signingkey.asc => signingkey-old.asc} (100%) diff --git a/README.md b/README.md index 1394d31..e797955 100644 --- a/README.md +++ b/README.md @@ -99,22 +99,22 @@ a formal audit, please [contact Taylor Hornby](https://defuse.ca/contact.htm). Public Keys ------------ -The GnuPG public key used to sign current and older releases is available in -[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey.asc). Its fingerprint is: +The GnuPG public key used to sign the current and new releases is available in +[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: ``` -2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 +6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 ``` You can verify it against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and [twitter](https://twitter.com/DefuseSec/status/723741424253059074). -Due to the old key expiring, new releases will be signed with a new public key -available in [dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: +Older releases were signed with a (now-expired) available in +[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). The old key's fingerprint is: ``` -6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 +2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 ``` A signature of this new key by the old key is available in diff --git a/dist/signingkey.asc b/dist/signingkey-old.asc similarity index 100% rename from dist/signingkey.asc rename to dist/signingkey-old.asc From 26e84756471861c92b3469b588c4016498adfa72 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 01:14:35 -0600 Subject: [PATCH 2/3] actually fix the signging key links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e797955..23e3338 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Public Keys ------------ The GnuPG public key used to sign the current and new releases is available in -[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: +[dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: ``` 6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 @@ -111,7 +111,7 @@ page](https://defuse.ca/contact.htm) and [twitter](https://twitter.com/DefuseSec/status/723741424253059074). Older releases were signed with a (now-expired) available in -[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). The old key's fingerprint is: +[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-old.asc). The old key's fingerprint is: ``` 2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 From 9b77beb6e1cd997aecfd2392849db5afab128b5e Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 11:10:37 -0600 Subject: [PATCH 3/3] Fix links to fingerprint verification sources in README --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 23e3338..0e76317 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ The GnuPG public key used to sign the current and new releases is available in You can verify it against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and -[twitter](https://twitter.com/DefuseSec/status/723741424253059074). +[twitter](https://twitter.com/DefuseSec/status/1670840796743081984). Older releases were signed with a (now-expired) available in [dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-old.asc). The old key's fingerprint is: @@ -117,5 +117,8 @@ Older releases were signed with a (now-expired) available in 2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 ``` +The old key's fingerprint can be verified against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and +[twitter](https://twitter.com/DefuseSec/status/723741424253059074). + A signature of this new key by the old key is available in [dist/signingkey-new.asc.sig](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc.sig).