With upcoming changes to data protection and privacy laws in Europe coming into effect soon, we thought this would be a good time to remind everyone that we do have a privacy policy.
This applies to all users and visitors world-wide.

We have made a few changes to the language to make it clearer in relation to this new regulation but fundamentally, the terms and your rights are unchanged.

If you have any questions about this, please feel free to ask in the General Forum

Re: GPG Keys Now Available

General discussion of HandBrake, Video and/or audio transcoding, trends etc.
Forum rules
Please be aware, this forum is not for support or help related to HandBrake. Please keep such discussions to the Community Support forum sections.
Post Reply
fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: GPG Keys Now Available

Post by fibruve » Thu May 18, 2017 3:38 am

May I suggest that the Key ID and Fingerprint of the GPG signing key be conspicuously posted.
For example, adding them to the forum post and perhaps elsewhere.
viewtopic.php?f=33&t=36386

User avatar
BradleyS
Moderator
Posts: 1279
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS » Thu May 18, 2017 11:30 am

Is the GitHub article linked from that forum post not sufficient? OpenPGP

User avatar
BradleyS
Moderator
Posts: 1279
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS » Thu May 18, 2017 11:38 am

I added the output of

Code: Select all

gpg2 --fingerprint HandBrake
to the article.

fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: Re: GPG Keys Now Available

Post by fibruve » Fri May 19, 2017 4:28 am

It may be prudent to have the signing key's fingerprint published in a location that is separate from the service that hosts the signature files.

Currently the signature files are published at HandBrake's github and so is the pub key and fingerprint.
If HandBrake's github is hacked it is easy for the attacker to generate their own fake HandBrake Team key and use it to create signature files for a hacked version of the app. Since the attackers would have access to HandBrake's github they can also alter the wiki page to show the fingerprint of their fake key.

Having the fingerprint published on service that does not share credentials or infrastructure with the signature files lessens the risk of an attackers substituting a fake key and signature files for the real ones.

User avatar
s55
HandBrake Team
Posts: 9078
Joined: Sun Dec 24, 2006 1:05 pm

Re: Re: GPG Keys Now Available

Post by s55 » Fri May 19, 2017 6:25 pm

Yeh, we mirror our hashes for that reason. I'll get the GPG page mirrored as well and make sure it links to github.

Post Reply