[Tails-dev] Signing of the ISO and key material

Delete this message

Reply to this message
Author: kwadronaut
Date:  
To: tails-dev
Subject: [Tails-dev] Signing of the ISO and key material
Hi,

I was wondering how Tails is taking care of it's signing keys. I have
read some documentation [1][2] and really appreciate the policy, setup
(ie: no subkeys), how well it's integrated in the wot and the
documentation. Question, for other projects, as best practices: how are
you dealing with the secret material? Are all the developers sharing it,
are you using something like ssss? Have you thought about other options
or tools to help manage this? According to [2] you're not using ssss
(directly)?

I'm asking because:
a. no re-invention of wheels and hot water
b. good (release) practices are essential in any software piece

Disclosure: a project I'm involved with [3] prefers not to share key
material with all developers and putting it on a server with a web
application and a java monster aren't really appealing options either.
Therefore, we're exploring options and picking minds.

Last note: I obviously do *not* want to know whom or how many people
have access to those resources, generic statements that can be reused
make most sense.

Ciao,

kwadronaut

[1] https://tails.boum.org/doc/about/openpgp_keys/#index2h1
[2] https://tails.boum.org/contribute/release_process/#index9h1
[3] https://leap.se