[tz] Digital signing (was Re: Proposed time zone package changes ...)

David Magda dmagda at ee.ryerson.ca
Fri Oct 7 23:44:25 UTC 2011

On Oct 7, 2011, at 16:28, Bennett Todd wrote:

> As for details, I don't know anything wrong with the default algorithms that
> gpg uses. But ideally you shouldn't be using your own key directly, but
> rather a new, project-specific key for the project's official contact email
> address. You can start it off by signing it with your key, and other folks
> can add signatures after verifying the fingerprint with you offline.

A good place to start may be what US-CERT is using:


They update their key every year, but that's probably excessive here.

More information about the tz mailing list