Following instructions here: https://plugins.geany.org/downloads.html
Adding the key: ``` $ gpg --recv-keys 01380DF54FD09D02 gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1 ```
Verifying the key: ``` $ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02 gpg: Can't check signature: No public key ```
This looks lilke it didn't work. What am I doing wrong?
My OS: Ubuntu 22.04.5 LTS
``` $ uname -srvmpio Linux 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux ```
``` $ gpg --version gpg (GnuPG) 2.2.27 libgcrypt 1.9.4 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Home: /home/allanmacdonald/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ```
Previous version:
``` $ gpg --recv-keys B7A4039D0630EA07 gpg: key B7A4039D0630EA07: public key "Frank Lanitz frank.lanitz@seznam.cz" imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --verify geany-plugins-1.38.tar.gz.sig geany-plugins-1.38.tar.gz gpg: Signature made Sat 09 Oct 2021 10:53:55 AM ADT gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02 gpg: Can't check signature: No public key ```
However, this way seems to work: ``` $ wget https://download.geany.org/frlan-pubkey.txt $ gpg --import < frlan-pubkey.txt $ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02 gpg: Good signature from "Frank Lanitz frank@lanitz.info" [expired] gpg: aka "Frank Lanitz frlan@fsfe.org" [expired] gpg: aka "Frank Lanitz frank.lanitz@seznam.cz" [expired] gpg: aka "Frank Lanitz frank@frank.uvena.de" [expired] gpg: aka "Frank Lanitz frank@mxsrv.org" [expired] gpg: aka "Frank Lanitz frank@geany.org" [expired] gpg: Note: This key has expired! Primary key fingerprint: 986F A7E8 0256 D3D1 6F30 FB7A 0138 0DF5 4FD0 9D02 ```
@allanwmacdonald so the signature verification worked, I guess. The expired key is nothing bad, important is that it was valid when the signature was created.
I'm just wondering about the first output of retrieving the key: ``` $ gpg --recv-keys 01380DF54FD09D02 gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1 ```
@frlan was the key not uploaded?
Maybe we should update the instructions to import the key from the file on geany.org?
GnuPG with all the changes done on thunderbird, the interesting CLI and the broken signature (trust) system is kind of broken. It's doing its job, but the tooling is just getting worse every year (imho). I'd suggest to stop using it here. My signature is not more useful as the SSL certificate of the page.
@frlan Then we should remove it altogether?
@eht16 I'd vote for it.
If we would remove it, it would be good to have some good explanation why "it is broken". It would at least seem as removing a layer of security from the release downloads. Also Debian and maybe other distributions as well, use GPG for verifying download integrity.
@frlan could you provide some references and some more detailed reasoning?
github-comments@lists.geany.org