[vlc-devel] OpenPGP verification of updates
funman at videolan.org
Mon Nov 26 02:46:01 CET 2007
I've started some work for using OpenPGP through libgcrypt to verify
the downloads when doing an update from VLC (to re-enable that code
before 0.8.6d release).
It requires embedding the public key used to sign the files in VLC.
However I noticed that a new key is generated every year, so that means
updates would be supported only if the version to be downloaded was
signed with the same key that is embedded in the version ran by the
What is the point doing a new key every year ? NSA needs more than one
year to crack a key ?
I see 2 solutions:
* release at least every year, and embed the new key in the
update xml file (since the new key is signed by the previous one). That
* sign the releases with the old key (then there is no point
not keeping always the same key)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: not available
More information about the vlc-devel