Hello,

On 22.08.20 13:41, Geoff Kaniuk wrote:

~$ gpg --import B507ACD04BA283C9.asc gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys gpg: key B507ACD04BA283C9: public key "Frank Lanitz frank@lanitz.info" imported gpg: Total number processed: 1 gpg:               imported: 1 gpg: no ultimately trusted keys found

So I am still at a loss as to what the key issue really is!

Since the last release the key expired. This is a normal thing -- as you should not use GPG-keys without any expiration date (IMHO). So this key was expired back in April this year. So this is totally fine and will not have any impact on verifying the signature (as you are downloading a key based on information you got from the same source as the item you want to verify it's a weak protection anyway -- but better than none). You can still check whether this file was singed with the key -- only you should not trust the key itself anymore -- so _maybe_ it was revoked due to somebody copied it or for any other reasons. Here, and you have to trust into my word, the key just expired. I don't have any knowledge of misuse of the key etc as well as the key with 4096 RSA is not a weak one. That's why I don't think we need to regenerate the signature.

I have also run the plugin verify again, and this time get ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 14:43:54 BST gpg:                using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9 gpg: Good signature from "Frank Lanitz frank@lanitz.info" [expired] gpg:                 aka "Frank Lanitz frank@mxsrv.org" [expired] gpg:                 aka "Frank Lanitz frank@geany.org" [expired] gpg:                 aka "Frank Lanitz frlan@fsfe.org" [expired] gpg:                 aka "Frank Lanitz frank.lanitz@seznam.cz" [expired] gpg:                 aka "Frank Lanitz frank@frank.uvena.de" [expired] gpg: Note: This key has expired! Primary key fingerprint: 6D0E 68FC E198 824C 27C9  0EB0 B507 ACD0 4BA2 83C9

---

Looks good for me.

By the way the key you sent has the format:

B507ACD04BA283C9.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF ... ... LqGnsF6TxzGwPm8R6w40V5I67rfdbQ== =YjsN

-----END PGP PUBLIC KEY BLOCK-----

Yes. This is the typical format for exchanging PGP-keys when using the ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format) or SSL-certificates. When using gpg --recv-keys the tool is downioading about that from the keyservers, too.

Am I using the correct command to import the key?

Yes.

It would be good to solve this issue, seeing you have taken the trouble to create the verification process!

Why do you think so?

Cheers, Frank