[vlc-devel] OpenPGP verification of updates

Rafaël Carré funman at videolan.org
Mon Nov 26 02:46:01 CET 2007


I've started some work for using OpenPGP through libgcrypt to verify
the downloads when doing an update from VLC (to re-enable that code
before 0.8.6d release).

It requires embedding the public key used to sign the files in VLC.

However I noticed that a new key is generated every year, so that means
updates would be supported only if the version to be downloaded was
signed with the same key that is embedded in the version ran by the

What is the point doing a new key every year ? NSA needs more than one
year to crack a key ?

I see 2 solutions:
	* release at least every year, and embed the new key in the
update xml file (since the new key is signed by the previous one). That
is overkill.
	* sign the releases with the old key (then there is no point
not keeping always the same key)

Please help.

Rafaël Carré
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071126/f8b91c81/attachment.sig>

More information about the vlc-devel mailing list