README.source: Add instructions to verify upstream tag and file signatures

2016-03-15 00:59:32 +00:00 · 2016-03-15 00:59:32 +00:00 · e4a0845da3
parent c4460bf84d
commit e4a0845da3
1 changed files with 24 additions and 0 deletions
--- a/debian/README.source
+++ b/debian/README.source
@ -12,6 +12,30 @@ unifdef packages installed.
   * git://kernel.ubuntu.com/ubuntu/linux.git

   However, it is also possible to use upstream tarball and patch releases.
+   Both tags and files should be signed by the relevant maintainer, which
+   you *must* verify using commands such as:
+
+   $ git tag -v v4.5
+   $ xzcat linux-4.5.tar.xz | gpg --verify linux-4.5.tar.sign -
+   $ xzcat patch-4.5.1.xz | gpg --verify patch-4.5.1.sign -
+
+   The upstream maintainers' key fingerprints are:
+
+   pub   2048R/00411886 2011-09-20
+         Key fingerprint = ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886
+   uid                  Linus Torvalds <torvalds@linux-foundation.org>
+   sub   2048R/012F54CA 2011-09-20
+
+   pub   4096R/6092693E 2011-09-23
+         Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
+   uid                  Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>
+   sub   4096R/76D54749 2011-09-23
+
+   pub   4096R/FDCE24FC 2011-12-10
+         Key fingerprint = D4E1 E317 4470 9144 B0F8  101A DB74 AEB8 FDCE 24FC
+   uid                  Luis Henriques <luis.henriques@canonical.com>
+   uid                  Luis Henriques <henrix@camandro.org>
+   sub   4096R/EFBC394A 2011-12-10

 2) Run: ./debian/bin/genorig.py <repository>
   or:  ./debian/bin/genorig.py <tarball> [patch]