On the example page for verifying signatures on signed Geany downloads
https://www.geany.org/Support/VerifyGPGSignature, it says:
> First, you need to import the public GPG key used to sign the
> packages. You can download the used public key from:
> http://download.geany.org/colombanw-pubkey.txt
>
> To import the key use:
>
> |gpg --import < colombanw-pubkey.txt|
>
|I'm not highly skilled in using PGP keys, so I'm asking. |||Though the
use examples on Geany.org are great!|
|
|Shouldn't users be importing the signer's public key from a different
site / server, than where the signed Geany files are?|
|Like from various key servers, using either the Geany signer's *email
address* or the *8 char. ID* for the key?|
|Colomban Wendling ban(a)herbesfolles.org. Colomban didn't list the 8 /
16 char. key ID (that I saw) - or the email used when the keys were
uploaded to key servers.
|
|Should the key ID & email of the key owner be listed in the public key
or near it,? I don't know if there's a standard protocol how PGP key
ID's or emails should be posted.
|
|I assume instructions saying to get a signer's public key from *other*
sites (& verify it against > one key server or by other means) are to
minimize risk that hackers could compromise both the signed software and
the key, if both are on the same server?|
|Some devs seem to put the key ID / |||fingerprint|, email address in
the key file, itself - like Mozilla. Key IDs are the last 8 char. in a
key's fingerprint. They can be used to search key servers to import
key(s) (from a different source) to your key ring.|
|This is from inside a Mozilla public key on
https://ftp.mozilla.org/pub/mozilla.org/firefox/:|
||
|pub rsa4096 2015-07-17 [SC]
14F26682D0916CDD81E37B6D61B7B526D98F0353
uid [ full ] Mozilla Software Releases <release(a)mozilla.com>
sub rsa4096 2015-07-17 [S] [expires: 2017-07-16]
sub rsa4096 2017-06-22 [S] [expires: 2019-06-22]|
|Note: Mozilla says to verify the public key data elsewhere, because the
ones on their site could be compromised (maybe call Mozilla devs on the
bat phone).|
|Thanks.
|
|
|