Home Page | Download | Manual | GitHub | Mediawiki | Mailing lists | Contributions | Related links |
Crypto++ releases are signed using a key of one the individuals who are authorized to release Crypto++. Authorized individuals roughly means folks with check-in privileges. There is no single project key shared among authorized release personnel.
The list of collaborators who are authorized to release with their key are listed below.
Name | Key |
---|---|
Wei Dai | - |
Jeffrey Walton | B8CC 1980 2062 211A 508B 2F5C CE05 86AF 1F8E 37BD |
Uri Blumenthal | - |
FIPS DLL | - |
Note that Wei is listed, but he probably won't sign a release. Wei is busy with other duties, and he leaves the day to day operations to others involved in the project.
You should use GnuPG to verify a release signature. Be sure the public keys used to sign Crypto++ are installed.
$ gpg --quiet --verify cryptopp820.zip.sig cryptopp820.zip gpg: Signature made Sun 28 Apr 2019 07:41:05 PM EDT gpg: using RSA key CE0586AF1F8E37BD gpg: Good signature from "Jeffrey Walton (Crypto++ Release) <noloader@gmail.com>"
Key fingerprint = B8CC 1980 2062 211A 508B 2F5C CE05 86AF 1F8E 37BD
-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBFwlSggBDADclzJ4pgefT7BKm1OAoxp4NeqZzpU7f+70eyG9WlHxk0YUBKL4 s4wbsF2nub5YmCQ0vqXmfeyElbdYqCxXVygUOm64LlzsuRXw30gwupSg2xu0j7V1 WQCoWWG1j1XZ4pDTo9tYXiUztFHjfWD2oNjMUgEjo3jSdgAhY7re/sD+jNEjFnKc N0h8tquivpu8gqcobeCVUyMLd/n4M5Fw9TSCPZUrz1/Dfi+Cn0ODwmknuP3hH3dg I1pT7StEtZkq5tzQI2LPs/ItbvmwQWLWYCXQ6HsHSkFgDJc3kqV3EVvzM9/j+ynh waSThXNCPNORk487oD4CfeCgC6pXQuQBkv+Ts+porX8k59LpRmb7oszU1tOMHXEn Z2my/ljVonn6ibMvpLQrEscyFrQbjO8suv2TS1MuEnlEWXhT9INCmcTqDVKOC7WC Xnh2JEOEGe8ONaYuLw+Y+8TQ+uuyEue/yeiTVUpEB6ezOf5Je4ziFTze/Zq7ga9y iOFF5Lesem7llSEAEQEAAbQ2SmVmZnJleSBXYWx0b24gKENyeXB0bysrIFJlbGVh c2UpIDxub2xvYWRlckBnbWFpbC5jb20+iQG+BBMBAgAoBQJcJUoIAhsDBQkJZgGA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDOBYavH443vTJoC/4j8vzpbPbh tcnTZqC+rzfhSmqUGR024B5MkuETwi+AHwYcOzz/IKBYaIknqZ9P9q49gAthpiCO NE/OSf0YavJRFZ/diOcSmGP5m5yYGaA7ksrq+/82rFAANq3gpiMXuk/6xWpaRCvR 0LTGLbGcKmAE37/CpTXb+YJxMciaKQvb45yhcSnVAR1Ool+hQxZS/OYsOXzjRVMp 5dPivez3jEk+EJgirSCk/hkxc6Sh0HgI257IAuYHzqF000ahl7uJ9DBLkdglOD03 HwTA4kU9i+wlwWfkJRztDhvTy3qK5WnwN7eh88Wy4H7tIIG3CybGKwqjgu2wu7Nh ghc1ZrVMU0mSVmXDZ+ZWPgze8eLqoMDqdFzm4lWYTGl+gb6gIbg9dnU9p1YRtnXw /lUx0nnj33R/9LKKkTK5zmwnqdJ/lU3X0mGf1VyFzjpMrBE9mCkbnC7kOEiNh7kS /KdN9BoaX5M4e9LtohIobLsXfVQCWWOHePD1gQsbspksHA/GC/EyGN8= =Yi2N -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 7.0.3 for non-commercial use mQENBDzaotcBCAC3aWI+qiQT+CQd6XlikJHLQuNnOpi7/S7aYSu4PwM4WWYtff06 x/cCwSrss9JjZYjAEIC6I0v6eMr471BlXPLt77jSjMy5ws4thd7vHA1t9lhYxeS7 prTmCX/rrLNDw3VimoytCkPFBiMCeBHWcBf5WFYfeqhD7r+l+NBFfnvhz8Gr0ELb dJPTPnJ9puRKEKr295U2n/SVkaAzDcrDOQWtiDHPi3wG+bflt9S8UR9XDEoN3uYr P8MAr0br+YK4BwVFZxq9XXwOHtUlpwQDBYL6iMNOiB55ll4cdaOWfjX4F9jQZRTU uDARrnkgjEsgXJNweMRzN42ZAPmbR3AQg27XABEBAAG0OVdlaSBEYWkgKENyeXB0 bysrIENvZGUgU2lnbmluZyBLZXkpIDxjcnlwdG9wcEB3ZWlkYWkuY29tPokBLgQQ AQIAGAUCPNqi1wgLAwkIBwIBCgIZAQUbAwAAAAAKCRDxkBrrBFSYQ720B/96G6hO sOWz/3Y/cb63OVJ8OPNcnkXlMtHilCjmPkPEmVkrayPyFjT/VqnX5JmpiJ0g1Jwr ptLrF9hQ8IupE3+P/JBiDR7XDE4veonuyp0GmVDhwrCIhWOjRFIzeENmVnCYAvfW IWhHOx/l9gxFKfMiNjDBM6aQ9FD8F6tPVNhpoV1nYwstqwle+WpR+YQHowS7vlqx PPL2ZtUv1PFmIGNUF83t8koktb1za5CN4Cb/iWlsmIVviw7XA8rYg1ZIzTnMuz1d FNXHwC39K5TucPRnqn6pyvPwttyBKhBEFurjnfFfBtpyfhaojyiMB3S8Rsid0rx9 bxTvP9WeQDcY7XJFuQENBDzaotgBCACuqQLeu1ZAKTrWTgtJ05vSUvLHzAAvDh2j kEoYxYvutU2nnCqrTi3Y9o9t+uppSwKhpbF9CEQ7ECBGHbZ3qknWCMwoCJ6n2UKX BUVxLhNkiwnpPmR8rh4KNFv4r77/lSYXucxZSBwWdfiG6iQfc4GytBp6fKRyPvXI jM0eFQe+3xdMQCbqrp9zzXQ/cAuuL4kWON+2MVtIhg5TMgjEVk+e57fiIz5XrwRg mtRXu/G9MCPpVgo/jFnJ1M9OBdJdHeiwcf3Lj9tuq/wDwlHXxmC3TGSsKfL6zbXH 1TNPohjJu9OGmyFe6sH1Fdi4wOsWN2GRlh64VTYNs84Am/Bcu0nvABEBAAGJASIE GAECAAwFAjzaotgFGwwAAAAACgkQ8ZAa6wRUmEN2TAf+JvsICwwj855dd/A4nlKN W3dmZGHCRI50cVxEJ+wRky0BFYbtCYQsclFmrmDbi8QrNP3c9J1GkAdyd9bmOTQy rQ3+biYEQF8XW63WUTRz3aB4ORzExi7JH/tD9bOrnv+Qt3kl4ceo7aZuKrDU0+Jr 3S/xhV2K4VwPDLYbzsNUwsHbAqv2rQyBJISUCfZ9I64yPi2liO8Wm4q/upU6tTja ZFm4lligmm1PTZalMjvbQzjFMI+9//e1m8Y0YTAVXDMDPELjXSpSx4i7YiW3OZPw CpVVmdKSEa+W6LK5bKZMYlyo0hOScxSumvirbScdjmUjJCJ5Uxom7YVEqbqIjBOn Rg== =mj5e -----END PGP PUBLIC KEY BLOCK-----
Individuals who have release authorization are expected to:
Signing keys should be 3072-bit RSA and signatures should use SHA-256. Other algorithm choices, like Ed25519 or SHA-3, will likely cause interop problems for some folks on some platforms.
Changes to the signing key should be retained on this page. That is, don't delete a former key if updating to a new key. Retain the old key for record keeping.
The key should be stored offline with passphrase protection. For example, burned to a CD and then stored in a fire resistant lock box. The key should not be online, and should not be under control of a key manager to automatically unlock it.
Related information can be found at Apache Release Signing and Release Signing on the Crypto++ wiki.