Hi,
I always like to be able to download the pubkeys and signatures so I can verify the downloads before doing the installation.
gpg2 gives me these diagnostics:
geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0.tar.gz.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0_setup.exe.sig Good signature from "Enrico Tröger enrico.troeger@uvena.de" [unknown]
and for geany-plugins-2.0.*.sig
gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg: using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key
In summary, two expired keys were used to sign the geany 2.0 assets, and the public key required to verify the geany-plugins 2.0 assets does not seem to be available on the geany.org site.
There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins.
With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification.
TIA
Doug
Hi,
geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0.tar.gz.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
The key itself is *not* expired only the export available on the website. It was just updated and should work now also with the exported key available from the website. Alternatively, you could use gpg --recv-keys ACA0246889FB96B63382111724CCD8550E5D1CAE to update the key from the keyserver.
geany-2.0_setup.exe.sig Good signature from "Enrico Tröger enrico.troeger@uvena.de" [unknown]
The key used to create the signature is 51A0918FEF3439066BEB87F4579347E6C71A77FA and it is available at https://download.geany.org/eht16-pubkey.txt.
and for geany-plugins-2.0.*.sig
gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg: using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key
Will be fixed tomorrow. The key used can be imported from the keyserver using: gpg --recv-keys 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888
There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins.
Those files are auto generated by Github, there is no point in signing them except Github would do.
With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification.
The hashes have been added in the meantime.
Regards, Enrico
Hello,
Le 19/10/2023 à 21:52, Doug Henderson via Devel a écrit :
Hi,
I always like to be able to download the pubkeys and signatures so I can verify the downloads before doing the installation.
That's good! Although for actual security you should have a trusted path to the PGP key, just downloading everything from the same website is just gonna help verifying corruption during the transfer :)
gpg2 gives me these diagnostics:
geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0.tar.gz.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
[…]
In summary, two expired keys were used to sign the geany 2.0 assets,
Sorry, they key expiry was updated on keyservers, but not on geany.org. This should now be fixed.
There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins.
You mean the ones labelled "source code" from GitHub Release page [1]? Those are automatically generated by GitHub and contain the Git state, I don't think we can sign that. However, they are generated from the Git tag, which is signed with the same key as the one that signed the release tarballs.
[1] https://github.com/geany/geany/releases/tag/2.0.0
With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification.
This should also be available already, isn't it?
Regards, Colomban