GPG signing is our preferred method of establishing authenticity of anything ranging from mails to release tarballs/tags. To make this easy to verify and trustworthy it is useful to have yourself wired into the KDE web of trust (i.e. get your key signed by other KDE contributors).
If you are release manager of a project or a distribution packager it is highly recommended that you attend this BoF to get yourself wired into the release web of trust which makes tarball signature verification a lot easier.
There's lots of good guides on GPG in general and key signing in specific out on the internet, it is recommended you read up on this a bit. We'll only explain the process in broad strokes at the BoF. If you have questions you can send a mail to [email protected]
How This Works - READ THIS!
Add the name and email address of your key as well as the fingerprint below. Tuesday at 12:00 someone is going to do a print out for all listed attendants. If you would like to do your own print out, please send a mail to [email protected]. Please make sure that you send a mail if you add yourself after the deadline. It may be too late or not, but I definitely want to know.
To get your key fingerprint, you'll want to run gpg or gpg2 with the --fingerprint argument and your name or short ID.
For the BoF please make sure you know your fingerprint. For example write it down somewhere, or print it out. We'll ask you to verify that the printed fingerprint is in fact your key, so you want to have it easily accessible.
gpg2 --fingerprint Sitter
Make sure to bring an ID card or preferably a passport so we can verify you are who you claim to be at the BoF.
|Key OK||Name <EMail>||Fingerpint||ID OK|
|☐||Harald Sitter <[email protected]>||CB93 8752 1E1E E012 7DA8 0484 3FDB B550 84CC 5D84||☐|
|☐||Your Name <[email protected]>||1234 1234 1234 FINGER PRINT||☐|