Some comments:
IIUC Geany signatures should be considered more to be about verifying your download than about absolute security, although they of course help. For security build it yourself from github after appropriate auditing.
As a small volunteer project, releases are signed by individuals personal keys and thus are not necessarily widely distributed as say a Mozilla company release key. And as you will notice on the page, who was available to sign the release can vary. And even the same individuals key may change over time (for a variety of good/bad reasons). So the keys are available on the Geany download page as you may not be able to find them elsewhere in a timely manner. If you can verify the key from an external source, bonus.
Individuals may be less open about making all of their personal emails available in plaintext than release@mozilla.com is.
Cheers Lex
On 6 January 2018 at 08:37, bendov@gmx.com wrote:
On the example page for verifying signatures on signed Geany downloads https://www.geany.org/Support/VerifyGPGSignature, it says:
First, you need to import the public GPG key used to sign the packages. You can download the used public key from: http://download.geany.org/colombanw-pubkey.txt
To import the key use:
|gpg --import < colombanw-pubkey.txt|
|I'm not highly skilled in using PGP keys, so I'm asking. |||Though the use examples on Geany.org are great!| |
|Shouldn't users be importing the signer's public key from a different site / server, than where the signed Geany files are?|
|Like from various key servers, using either the Geany signer's *email address* or the *8 char. ID* for the key?|
|Colomban Wendling ban@herbesfolles.org. Colomban didn't list the 8 / 16 char. key ID (that I saw) - or the email used when the keys were uploaded to key servers. |
|Should the key ID & email of the key owner be listed in the public key or near it,? I don't know if there's a standard protocol how PGP key ID's or emails should be posted. |
|I assume instructions saying to get a signer's public key from *other* sites (& verify it against > one key server or by other means) are to minimize risk that hackers could compromise both the signed software and the key, if both are on the same server?|
|Some devs seem to put the key ID / |||fingerprint|, email address in the key file, itself - like Mozilla. Key IDs are the last 8 char. in a key's fingerprint. They can be used to search key servers to import key(s) (from a different source) to your key ring.| |This is from inside a Mozilla public key on https://ftp.mozilla.org/pub/mozilla.org/firefox/:%7C ||
|pub rsa4096 2015-07-17 [SC] 14F26682D0916CDD81E37B6D61B7B526D98F0353 uid [ full ] Mozilla Software Releases release@mozilla.com sub rsa4096 2015-07-17 [S] [expires: 2017-07-16] sub rsa4096 2017-06-22 [S] [expires: 2019-06-22]|
|Note: Mozilla says to verify the public key data elsewhere, because the ones on their site could be compromised (maybe call Mozilla devs on the bat phone).|
|Thanks. |
| |
Users mailing list Users@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/users