Conversation
Signed-off-by: Babak K. Shandiz <babakks@github.com>
There was a problem hiding this comment.
Pull request overview
Adds PGP key fingerprints to the Linux installation documentation so users can confirm the signing keys used by the official package repositories.
Changes:
- Adds an IMPORTANT callout listing the PGP key fingerprints used for signing.
- Adds guidance for verifying the Debian APT keyring contents with
gpg --show-keys. - Adds an RPM section TIP reminding users they can validate imported keys against the published fingerprints.
Show a summary per file
| File | Description |
|---|---|
docs/install_linux.md |
Documents signing key fingerprints and adds key verification tips for Debian/RPM installs. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 2
Signed-off-by: Babak K. Shandiz <babakks@github.com>
| > To verify downloaded PGP keys, you can run this and match the listed fingerprints with those at the top of this document: | ||
| > | ||
| > ```shell | ||
| > gpg --show-keys /etc/apt/keyrings/githubcli-archive-keyring.gpg |
There was a problem hiding this comment.
Is there a reason you didn't include this for RPM?
There was a problem hiding this comment.
Yeah. Seems like RPM clients download the keyring file and then install it as an RPM package. The original .asc file should be somewhere on the disk, but the source of truth is rpm -qi query.
Nevermind, misread/confused. Yeah, I actually can do a curl/wget and then run gpg on it. Will add now.
There was a problem hiding this comment.
Now added for both, but I changed my mind a bit. Instead of verifying the downloaded/installed keyring, now we verify the keyrings to be downloaded (via curl | gpg). It's actually more realistic for users who want to check the fingerprints first.
Signed-off-by: Babak K. Shandiz <babakks@github.com>
6b4b344 to
1f94ee4
Compare
This PR adds fingerprints of our PGP keys to Linux installation docs.