Official releases of xmlrpc-c are signed using GPG.  If you verify the
signature on your copy, the odds are very good that nobody has tampered
with it.

Note that this signature does *not* indicate that xmlrpc-c is bug free,
secure, or appropriate for use on your system.  As always, the full set of
disclaimers apply (see the license for details).  All the signature
guarantees is that either (1) the distribution came from an official source
or (2) somebody went to a *lot* of effort to forge a GPG signature.

These instructions assume that you've installed GPG, and you know how to
use it.  See http://www.gnupg.org/ for more information.


Getting Keys
------------

The following GNU Privacy Guard keys are used to make signatures:

   Eric Kidd (personal key) <eric.kidd@pobox.com>
   pub  1024D/8C757763 2001-04-02 
   sub  2048g/1E04F132 2001-04-02
   Fingerprint: 5F26 762F DB05 1A12 3762  0995 F402 93DD 8C75 7763

   Eric Kidd (software validation key) <eric.kidd@pobox.com>
   pub  1024D/AC00C6C2 2001-04-02
   Fingerprint: B222 6F05 5DAE 9899 F39D  65ED 5900 A72A AC00 C6C2   

You can find these keys in the public keyservers, or at the bottom of this
file.  Unfortunately, neither source is even slightly trustworthy, so
you'll want to verify the key fingerprints in another fashion.  If you're
not too picky, do a web search for xmlrpc-c release announcements; those
should generally contain a key fingerprint.

The second key will expire in a year, and a new key will be issued.  These
keys will also be used for security advisories.


Verifying Tarballs
------------------

To verify a tarball, first make sure that you're running gnupg 1.0.4 with
the security patch applied (or a newer release).  If you haven't applied
the security patch, this verification step ensures nothing!

Type the following command, substituting the correct version numbers.  Note
the '- <'.  This is the only safe way to verify a signature with gnupg.

  $ gpg --verify xmlrpc-c-0.9.9.tar.gz.sig - < xmlrpc-c-0.9.9.tar.gz

You should see something like this:

  gpg: Signature made Mon Apr  2 18:55:07 2001 EDT using DSA key ID AC00C6C2
  gpg: Good signature from "Eric Kidd (software validation key) <eric.kidd@pobox.com>"


Verifying RPMS
--------------

This is easy.  Just type:

  $ rpm --checksig xmlrpc-c-*.rpm

You should see something like this:

  xmlrpc-c-0.9.9-1.i386.rpm: md5 gpg OK
  xmlrpc-c-0.9.9-1.src.rpm: md5 gpg OK
  xmlrpc-c-apps-0.9.9-1.i386.rpm: md5 gpg OK
  xmlrpc-c-devel-0.9.9-1.i386.rpm: md5 gpg OK

Look for 'gpg' and 'OK' on each line.

Distributions of xmlrpc-c for other platforms may be signed by somebody
else.  If so, verify their keys and signatures in the usual fashion.


Reporting Bugs Securely
-----------------------

If you've found a serious security problem in xmlrpc-c, you can use Eric
Kidd's personal key to contact him directly.


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDrIs68RBADGEfuCw4kD3XQLwsJLHmLYiRtTO+B0/XTHnzTcfSSwXxMn+H3Y
kN3yBV41037Cf+Q3vYdCTYkVxNOKZt0erqIgsfRrEtQtQMPd06Dc3CWm0pqFYlmY
HjIXk5kFJCHVvA4AuxApVf5u13oLPRVA9bgJ7Kw33HBzTcPSRQh1ymm6kwCg/3zU
g+H3Lb6a0ad2yPdPEJxwwbED/2dGr65hwkA83j2ebRR5dKaoANiwIwL6LTLinU9P
DHbJuTxqu5BIxnkMTZczG06HAWra0XE8Gyb5sgGTPWgmXRrshcWoQjHFw4/Zbo/z
UTntZ9iZ6Rt8zdaskWPityrc8WZu+u/DumhgL4FYf1VUV6mLml+AExCAV8zcMpWK
AKfcBACtfD9czeMCMOfSMOiWXt8gJNo/o8Yaohh7ke3GA8gaYH0VuN+syP3H3LCO
O+LgLQgZl3D5oKvPZPL6h219ezWQ1p00j5plP3Q5L1Cxd8cboWpocu5kHXUWhlPV
hPZqz5q6wTuAIrMqJ+Z4RG8qOVA+PU2fTD4E9ujtGPQWBt9lB7QuRXJpYyBLaWRk
IChwZXJzb25hbCBrZXkpIDxlcmljLmtpZGRAcG9ib3guY29tPohXBBMRAgAXBQI6
yLOvBQsHCgMEAxUDAgMWAgECF4AACgkQ9AKT3Yx1d2PaBgCfcLBjAn18jqbIa+Q2
alfRyhrpWJsAoPRVL54NSKY/FcmzBlcmpVzYXrW2uQINBDrItB8QCACWf7VGxccR
CS8waeY1EHwjOY4/aTI2jyOJkNMb4Wjj9bmJcEMd80MUEeokMmmwwQDX0dCXdUON
bW5jX75AV3j+qOrZAgRb8OaXjctjpvsGlTQm7N6sxNpOd8vKbQP3y/UR7j9Vri3a
Bh9qk006rmBUcYX2TxY9sDe11VhgrtzbhiwB94XnSkGxeDVPavkOcW5FOUcIkOBo
sgd6jgHq5mgzLFQmcMixSNrnMYFyi9Czr6GeUdqoVhnvgZgr2rOfOLlh3cty5GaM
AH3yJNjRpcoFFh9JMObAYSNKjqd3xJm3slPYVxWg1YXsEW08w5K/25kQsn881aUu
Mdb1KV8HKUfrAAMFB/9zWjkHkq8LnOPZPQ2orEt6/GSHrXApaXN3uRZhK94jdDk0
AVxT2uQ30UT+pZFHH3nhTATULeSGj8/AJLzapskhwByJc47HV6Q5tp7+kIO9Nz6c
1Hh6kT7+Hkc3MRqte58fg77RCKzm5PNdLsCZ4NVFcn7uzlDbeAliUnz9SXTZzapU
2Z6SteNb2EO7CcbJFxqqm2XQYnSEn1hU7ObYr6vuWycCCRfyAv2nhESRTr8fiCy3
VFP9gFF6SxAfqIA/Ff89IEvT2VJv9k/1X/jjKZiOFl6imkrJ4IHnwxdrzgGPkAPJ
2GV2Xg/XLzbf0KilgQtxgZppwXh751j/U5O8N6HAiEYEGBECAAYFAjrItB8ACgkQ
9AKT3Yx1d2Mq5ACgxRqxE8G66WYpWMZVPzkIbZlUvzAAn3WbBorp7C2P9a8mXqbz
uJOfH0Wk
=tfY7
-----END PGP PUBLIC KEY BLOCK-----
