As of today I’m signing the source code archives for MKVToolNix with my GPG key (to be more precise: with sub-key ID 0x74AF00AD F2E32C85, fingerprint 3301 A29D 88D0 1A0C F999 954F 74AF 00AD F2E3 2C85, of key ID 0x0F92290A 445B9007, fingerprint D919 9745 B054 5F2E 8197 062B 0F92 290A 445B 9007). The signature’s file name is the tarball’s file name with
.sig appended (e.g.
mkvtoolnix-8.9.0.tar.xz.sig for the archive
mkvtoolnix-8.9.0.tar.xz). They’re stored in the same directory.
I’ve also signed all existing releases of MKVToolNix, too.
In order to avoid confusion: I’m using two different GPG keys. The first one (sub-keys of key ID 0x0F92290A 445B9007) is used for email, Debian/Ubuntu APT repository signing and now source code signing and another one (key ID 0x16D2F5DC 10C052A6, fingerprint EB24 BCA1 4BA6 A24F 1427 6FEE 16D2 F5DC 10C0 52A6) for signing the RPMs I provide. The reason is that RPM itself doesn’t support using a sub-key for signing RPMs; it can only use normal keys, unfortunately.
Additionally I use a x.509 certificate by StartSSL (SHA1 fingerprint: 48:13:1B:5D:41:63:12:07:D2:86:20:6C:28:F3:78:C8:06:6F:34:AA) for signing the Windows binaries I provide (both the installers as well as the executables that make up MKVToolNix). Note that I’ve only started signing Windows binaries with release 8.9.0. Therefore older binaries aren’t signed.