GPG signing is our preferred method of establishing authenticity of anything ranging from mails to release tarballs/tags. To make this easy to verify and trustworthy it is useful to have yourself wired into the KDE web of trust (i.e. get your key signed by other KDE contributors).
If you are release manager of a project or a distribution packager it is highly recommended that you attend this BoF to get yourself wired into the release web of trust which makes tarball signature verification a lot easier.
There's lots of good guides on GPG in general and key signing in specific out on the internet, it is recommended you read up on this a bit. We'll only explain the process in broad strokes at the BoF. If you have questions you can send a mail to [email protected]
How This Works - READ THIS!
Add the name and email address of your key as well as the fingerprint below. Tuesday morning at 10:00 Harald is going to do a print out for all listed attendants. If you would like to do your own print out, please send a mail to [email protected]. If you are not listed by Tuesday morning you'll have to pay 900 Euros penalty (increased from 2017 because of inflation and Brexit uncertainties)! Please make sure that you send a mail if you add yourself after the deadline.
To get your key fingerprint, you'll want to run gpg or gpg2 with the --fingerprint argument and your name or short ID.
gpg2 --fingerprint Sitter
Make sure to bring an ID card or preferably a passport so we can verify you are who you claim to be at the BoF.
|Key OK||Name <EMail>||Fingerpint||ID OK|
|☐||Harald Sitter <[email protected]>||CB93 8752 1E1E E012 7DA8 0484 3FDB B550 84CC 5D84||☐|
|☐||Bhushan Shah <[email protected]>
Bhushan Shah <[email protected]>
|0AAC 775B B643 7A8D 9AF7 A3AC FE07 8411 7FBC E11D||☐|
|☐||Your Name <[email protected]>||1234 1234 1234 FINGER PRINT||☐|