GPG signatures for source validation

NicoHood archlinux at
Sat Dec 24 13:58:17 CET 2016

As we all know, today more than ever before, it is crucial to be able to
trust our computing environments. One of the main difficulties that
package maintainers of Linux distributions face, is the difficulty to
verify the authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG
signatures in order to verify easily and quickly of your source code

Overview of the required tasks:
* Create and/or use a 4096-bit RSA keypair for the file signing
* Keep your key secret, use a strong unique passphrase for the key
* Upload the public key to a key server
* Sign every new commit by default
* Sign new tags
* Sign Release tarballs
* Provide https downloads

**Additional Information:**


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Xfce mailing list