Please report potential security issues with the Fennel compiler or web site to [email protected] and [email protected].
Sensitive reports may be encrypted with the PGP key listed below.
From version 0.10.0 onward, Fennel releases and tags have been signed with the PGP key 8F2C85FFC1EBC016A3B683DE8BD38C28CCFD2DA6. Before that the key 20242BACBBE95ADA22D0AFD7808A33D379C806C3 was used.
To verify:
$ curl https://technomancy.us/8F2C85FFC1EBC016A3B683DE8BD38C28CCFD2DA6.txt | gpg --import -
$ gpg --verify fennel-1.2.0.asc
From 1.0 onwards, releases are also signed with .sig files using SSH keys:
$ curl -O allowed https://fennel-lang.org/downloads/allowed_signers
$ ssh-keygen -Y verify -f allowed -I [email protected] -n file -s fennel-1.2.0.sig < fennel-1.2.0
You can compare the key in the allowed file with the keys published at technomancy.us, SourceHut, or GitHub.