From 1853131d42dd69ddb062946373fb4d2230992ab1 Mon Sep 17 00:00:00 2001 From: zeripath Date: Thu, 30 Apr 2020 10:08:43 +0100 Subject: [PATCH] Use keys.openpgp.org instead of pgp.mit.edu (#11249) The SKS Keyserver network has been under attack with poisoned certificates since at least 2019. Downloading a poisoned certificate has the awful side-effect of completely breaking your keyring and most software has now moved off the network and uses the keys.openpgp.org which has a different protocol instead - in fact one whereby emails are verified. For more details regarding the attack see: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f See: https://keys.openpgp.org/about and https://keys.openpgp.org/about/faq Signed-off-by: Andrew Thornton Co-authored-by: Lunny Xiao --- docs/content/doc/installation/from-binary.en-us.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/doc/installation/from-binary.en-us.md b/docs/content/doc/installation/from-binary.en-us.md index d1bb3693bdbb..58d259650703 100644 --- a/docs/content/doc/installation/from-binary.en-us.md +++ b/docs/content/doc/installation/from-binary.en-us.md @@ -26,10 +26,10 @@ chmod +x gitea ``` ## Verify GPG signature -Gitea signs all binaries with a [GPG key](https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2) to prevent against unwanted modification of binaries. To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the gpg command line tool. +Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries. To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the gpg command line tool. ```sh -gpg --keyserver pgp.mit.edu --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 +gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 gpg --verify gitea-{{< version >}}-linux-amd64.asc gitea-{{< version >}}-linux-amd64 ```