Le 05/01/2018 à 14:37, bendov@gmx.com a écrit :
[…]
Shouldn't users be importing the signer's public key from a different site / server, than where the signed Geany files are?
That's probably best indeed.
Like from various key servers, using either the Geany signer's *email address* or the *8 char. ID* for the key?
Colomban Wendling ban@herbesfolles.org. Colomban didn't list the 8 / 16 char. key ID (that I saw) - or the email used when the keys were uploaded to key servers.
It's the same email(s) that are part of the key, nothing but the key is sent to the keyservers. (continued below)
Should the key ID & email of the key owner be listed in the public key or near it,? I don't know if there's a standard protocol how PGP key ID's or emails should be posted.
I'm not very knowledgeable about PGP either so I'm not sure how, but there's definitely a way to tell which key you need for checking a signature as e.g. GPG itself has to find the right key to check against. So that should be sufficient, and having any plain text data that isn't itself signed doesn't make any sense, how would you know it hasn't been compromised as well?
Ultimately, *nothing* is secure unless you really trust the signing key. And you shouldn't trust my key unless you have a chain of trust leading to me.
Note: Mozilla says to verify the public key data elsewhere, because the ones on their site could be compromised (maybe call Mozilla devs on the bat phone).
Yes, and even then, who knows. You really need a fully trustworthy way of checking that's indeed the right person -- and that you actually trust that person: even if you did meet me, why should you trust software I sign? Everything else is nice and all but doesn't provide much of anything in the end.
Sorry for just having ruined cryptographic signatures a little :]
Regards, Colomban