Release Signing

Crypto++ releases are signed using a key of one the individuals who are authorized to release Crypto++. Authorized individuals roughly means folks with check-in privileges. There is no single project key shared among authorized release personnel.

Collaborators

The list of collaborators who are authorized to release with their key are listed below.

Note that Wei is listed, but he probably won't sign a release. Wei is busy with other duties, and he leaves the day to day operations to others involved in the project.

Verification

You should use GnuPG to verify a release signature. Be sure the public keys used to sign Crypto++ are installed.

$ gpg --quiet --verify cryptopp820.zip.sig cryptopp820.zip
gpg: Signature made Sun 28 Apr 2019 07:41:05 PM EDT
gpg:                using RSA key CE0586AF1F8E37BD
gpg: Good signature from "Jeffrey Walton (Crypto++ Release) <noloader@gmail.com>"

Jeffrey Walton

Key fingerprint = B8CC 1980 2062 211A 508B 2F5C CE05 86AF 1F8E 37BD

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFwlSggBDADclzJ4pgefT7BKm1OAoxp4NeqZzpU7f+70eyG9WlHxk0YUBKL4
s4wbsF2nub5YmCQ0vqXmfeyElbdYqCxXVygUOm64LlzsuRXw30gwupSg2xu0j7V1
WQCoWWG1j1XZ4pDTo9tYXiUztFHjfWD2oNjMUgEjo3jSdgAhY7re/sD+jNEjFnKc
N0h8tquivpu8gqcobeCVUyMLd/n4M5Fw9TSCPZUrz1/Dfi+Cn0ODwmknuP3hH3dg
I1pT7StEtZkq5tzQI2LPs/ItbvmwQWLWYCXQ6HsHSkFgDJc3kqV3EVvzM9/j+ynh
waSThXNCPNORk487oD4CfeCgC6pXQuQBkv+Ts+porX8k59LpRmb7oszU1tOMHXEn
Z2my/ljVonn6ibMvpLQrEscyFrQbjO8suv2TS1MuEnlEWXhT9INCmcTqDVKOC7WC
Xnh2JEOEGe8ONaYuLw+Y+8TQ+uuyEue/yeiTVUpEB6ezOf5Je4ziFTze/Zq7ga9y
iOFF5Lesem7llSEAEQEAAbQ2SmVmZnJleSBXYWx0b24gKENyeXB0bysrIFJlbGVh
c2UpIDxub2xvYWRlckBnbWFpbC5jb20+iQG+BBMBAgAoBQJcJUoIAhsDBQkJZgGA
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDOBYavH443vTJoC/4j8vzpbPbh
tcnTZqC+rzfhSmqUGR024B5MkuETwi+AHwYcOzz/IKBYaIknqZ9P9q49gAthpiCO
NE/OSf0YavJRFZ/diOcSmGP5m5yYGaA7ksrq+/82rFAANq3gpiMXuk/6xWpaRCvR
0LTGLbGcKmAE37/CpTXb+YJxMciaKQvb45yhcSnVAR1Ool+hQxZS/OYsOXzjRVMp
5dPivez3jEk+EJgirSCk/hkxc6Sh0HgI257IAuYHzqF000ahl7uJ9DBLkdglOD03
HwTA4kU9i+wlwWfkJRztDhvTy3qK5WnwN7eh88Wy4H7tIIG3CybGKwqjgu2wu7Nh
ghc1ZrVMU0mSVmXDZ+ZWPgze8eLqoMDqdFzm4lWYTGl+gb6gIbg9dnU9p1YRtnXw
/lUx0nnj33R/9LKKkTK5zmwnqdJ/lU3X0mGf1VyFzjpMrBE9mCkbnC7kOEiNh7kS
/KdN9BoaX5M4e9LtohIobLsXfVQCWWOHePD1gQsbspksHA/GC/EyGN8=
=Yi2N
-----END PGP PUBLIC KEY BLOCK-----

FIPS DLL

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 7.0.3 for non-commercial use

mQENBDzaotcBCAC3aWI+qiQT+CQd6XlikJHLQuNnOpi7/S7aYSu4PwM4WWYtff06
x/cCwSrss9JjZYjAEIC6I0v6eMr471BlXPLt77jSjMy5ws4thd7vHA1t9lhYxeS7
prTmCX/rrLNDw3VimoytCkPFBiMCeBHWcBf5WFYfeqhD7r+l+NBFfnvhz8Gr0ELb
dJPTPnJ9puRKEKr295U2n/SVkaAzDcrDOQWtiDHPi3wG+bflt9S8UR9XDEoN3uYr
P8MAr0br+YK4BwVFZxq9XXwOHtUlpwQDBYL6iMNOiB55ll4cdaOWfjX4F9jQZRTU
uDARrnkgjEsgXJNweMRzN42ZAPmbR3AQg27XABEBAAG0OVdlaSBEYWkgKENyeXB0
bysrIENvZGUgU2lnbmluZyBLZXkpIDxjcnlwdG9wcEB3ZWlkYWkuY29tPokBLgQQ
AQIAGAUCPNqi1wgLAwkIBwIBCgIZAQUbAwAAAAAKCRDxkBrrBFSYQ720B/96G6hO
sOWz/3Y/cb63OVJ8OPNcnkXlMtHilCjmPkPEmVkrayPyFjT/VqnX5JmpiJ0g1Jwr
ptLrF9hQ8IupE3+P/JBiDR7XDE4veonuyp0GmVDhwrCIhWOjRFIzeENmVnCYAvfW
IWhHOx/l9gxFKfMiNjDBM6aQ9FD8F6tPVNhpoV1nYwstqwle+WpR+YQHowS7vlqx
PPL2ZtUv1PFmIGNUF83t8koktb1za5CN4Cb/iWlsmIVviw7XA8rYg1ZIzTnMuz1d
FNXHwC39K5TucPRnqn6pyvPwttyBKhBEFurjnfFfBtpyfhaojyiMB3S8Rsid0rx9
bxTvP9WeQDcY7XJFuQENBDzaotgBCACuqQLeu1ZAKTrWTgtJ05vSUvLHzAAvDh2j
kEoYxYvutU2nnCqrTi3Y9o9t+uppSwKhpbF9CEQ7ECBGHbZ3qknWCMwoCJ6n2UKX
BUVxLhNkiwnpPmR8rh4KNFv4r77/lSYXucxZSBwWdfiG6iQfc4GytBp6fKRyPvXI
jM0eFQe+3xdMQCbqrp9zzXQ/cAuuL4kWON+2MVtIhg5TMgjEVk+e57fiIz5XrwRg
mtRXu/G9MCPpVgo/jFnJ1M9OBdJdHeiwcf3Lj9tuq/wDwlHXxmC3TGSsKfL6zbXH
1TNPohjJu9OGmyFe6sH1Fdi4wOsWN2GRlh64VTYNs84Am/Bcu0nvABEBAAGJASIE
GAECAAwFAjzaotgFGwwAAAAACgkQ8ZAa6wRUmEN2TAf+JvsICwwj855dd/A4nlKN
W3dmZGHCRI50cVxEJ+wRky0BFYbtCYQsclFmrmDbi8QrNP3c9J1GkAdyd9bmOTQy
rQ3+biYEQF8XW63WUTRz3aB4ORzExi7JH/tD9bOrnv+Qt3kl4ceo7aZuKrDU0+Jr
3S/xhV2K4VwPDLYbzsNUwsHbAqv2rQyBJISUCfZ9I64yPi2liO8Wm4q/upU6tTja
ZFm4lligmm1PTZalMjvbQzjFMI+9//e1m8Y0YTAVXDMDPELjXSpSx4i7YiW3OZPw
CpVVmdKSEa+W6LK5bKZMYlyo0hOScxSumvirbScdjmUjJCJ5Uxom7YVEqbqIjBOn
Rg==
=mj5e
-----END PGP PUBLIC KEY BLOCK-----

Governance

Individuals who have release authorization are expected to:

1. Announce their current key on the mailing list
2. Announce changes to the current key on the mailing list
3. Publish their current key on this wiki page
4. Publish their current key to a well-known keyserver
5. Publish changes to the current key on this wiki page
6. Store the key offline with passphrase protection

Signing keys should be 3072-bit RSA and signatures should use SHA-256. Other algorithm choices, like Ed25519 or SHA-3, will likely cause interop problems for some folks on some platforms.

Changes to the signing key should be retained on this page. That is, don't delete a former key if updating to a new key. Retain the old key for record keeping.

The key should be stored offline with passphrase protection. For example, burned to a CD and then stored in a fire resistant lock box. The key should not be online, and should not be under control of a key manager to automatically unlock it.

Related information can be found at Apache Release Signing and Release Signing on the Crypto++ wiki.