Folks, you may have noticed the releases.openstack.org now shows the PGP signatures of all release artifacts, example: https://releases.openstack.org/ocata/index.html#ocata-nova Many thanks to the Infra team to making this happen, details are here: https://releases.openstack.org/#cryptographic-signatures https://specs.openstack.org/openstack-infra/infra-specs/specs/artifact-signing.html http://docs.openstack.org/infra/system-config/signing.html Please see the key below for Ocata named "OpenStack Infra (Ocata Cycle)", this key will be used for all artifacts and git tags as well: https://sks-keyservers.net/pks/lookup?op=vindex&search=0xd47bab1b7dc2e262a4f6171e8b1b03fd54e2ac07&fingerprint=on The Infra Root admins have already signed the key (they are the only ones with direct access to the private key to attest). Hoping to see some of the PTL(s) and Release Liaison(s) sign this key as well if they trust the Infra Root admins :) Of course anyone in the OpenStack eco system is welcome to sign the key as well. If you run into trouble, please ping us on the release or the infra channels. Thanks, Dims and Jeremy (On behalf of Infra and Release teams) -- Davanum Srinivas :: https://twitter.com/dims