misc/57939: not obvious enough where public verification key for distribution hashes lives

[campbell+netbsd%mumble.net@localhost]

>Number:         57939
>Category:       misc
>Synopsis:       not obvious enough where public verification key for distribution hashes lives
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 16 14:40:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        
>Organization:
The NetBSD Security Team
>Environment:
>Description:
<https://www.NetBSD.org> has a link to `A list of signed hashes for the NetBSD 9.3 distribution' going to <https://cdn.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-9.3_hashes.asc>, but it doesn't say where the public verification key is.  (Also technically it is a signed list of hashes, not a list of signed hashes.)

<https://www.NetBSD.org/releases/formal-10/NetBSD-10.0.html> has a link to 10.0 hashes and says `signed by the NetBSD Security Officer's PGP key' but doesn't say where to find that key.

Of course a fraudulent site could post a similar link to a fraudulent signed list of hashes and say where to find the fraudulent public verification key -- but that's not a reason to obscure the security-officer's public key for TOFU purposes.

(Also there's maybe a bit much verbiage at <https://www.NetBSD.org/support/security/>.)
>How-To-Repeat:
browse the NetBSD.org front page web site
>Fix:
Yes, please!