I am wondering how someone is expected to verify a release image? Taking the 14.3 release, for example, imagine a user starting their journey here:
I can download an ISO of my choice, following the links in the announcement. And I see that there are checksums provided in a conveniently signed document. Great! But what is the public key that I should verify has signed these checksums? I can't find any documentation anywhere in the release notes, the handbook, indeed anywhere in the site documentation pages, that gives me any chain of trust I can follow to find a public key ID that has signed the release.
The handbook lists a key ID for the security officer, but that key has not signed the release.
:-(.
I can download an ISO of my choice, following the links in the announcement. And I see that there are checksums provided in a conveniently signed document. Great! But what is the public key that I should verify has signed these checksums? I can't find any documentation anywhere in the release notes, the handbook, indeed anywhere in the site documentation pages, that gives me any chain of trust I can follow to find a public key ID that has signed the release.
The handbook lists a key ID for the security officer, but that key has not signed the release.
:-(.