all local RPM packages now signed with our GnuPG public key
As I commented earlier about the compromised wordpress 2.1.1 release, I have always been surprised and disappointed that many FOSS software distributions don’t provide good means for users to verify the authenticity and integrity of their downloads, not to mention the leading commercial software vendors (hardware platform vendors, OS vendors, and ISV). There are some confusion about the ability and capability of checksum (MD5 or SHA1) and those of digital signatures.
To do our own part, we’ve just published our GnuPG public key and signed all local RPM packages provided locally. The MD5sum list will have MD5 checksums for packages before and after GnuGP signing.
If you have any question on how to verify the RPM packages using our GnuPG public key, or why it is important, feel free to drop a note in the comment, and I’ll try my best to answer it.
