Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-13 00:09:47 -05:00
Code Issues Packages Projects Releases Wiki Activity

Document qubes-secpack PGP key inclusion criteria

Browse Source
This commit is contained in:
Andrew David Wong 2021-06-29 15:42:02 -07:00
parent 3253b6b91e
commit a2e3dfe7a7
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
project-security/security-pack.md
View File

@ -174,6 +174,17 @@ signatures) are provided to ensure that the system is robust (e.g., against a
potential failure in Git tag-based verification) and to give users more options potential failure in Git tag-based verification) and to give users more options
to verify the files. to verify the files.
## PGP key inclusion criteria
The `qubes-secpack` generally includes only those PGP keys used to sign some
kind of official project artifact, such as Qubes release ISOs (release signing
keys), Git tags and commits (code signing, doc signing, and security team
keys), and the `qubes-secpack`'s own files and Git tags (security team keys
again). This means that email keys are generally not included, even for
official project email addresses. There is one exception to this rule: the
official [Qubes Security Team](/security/#qubes-security-team) email address,
which is used to report security vulnerabilities in Qubes OS to our security
team.
## History and rationale ## History and rationale