[Geany-Users] public key

bendov at gmx.com bendov at xxxxx
Fri Jan 5 22:37:58 UTC 2018 

On the example page for verifying signatures on signed Geany downloads 
https://www.geany.org/Support/VerifyGPGSignature, it says:

> First, you need to import the public GPG key used to sign the 
> packages. You can download the used public key from: 
> http://download.geany.org/colombanw-pubkey.txt
>
> To import the key use:
>
> |gpg --import < colombanw-pubkey.txt|
>
|I'm not highly skilled in using PGP keys, so I'm asking. |||Though the 
use examples on Geany.org are great!|
|

|Shouldn't users be importing the signer's public key from a different 
site / server, than where the signed Geany files are?|

|Like from various key servers, using either the Geany signer's *email 
address* or the *8 char. ID* for the key?|

|Colomban Wendling ban at herbesfolles.org.  Colomban didn't list the 8 / 
16 char. key ID (that I saw) - or the email used when the keys were 
uploaded to key servers.
|

|Should the key ID & email of the key owner be listed in the public key 
or near it,? I don't know if there's a standard protocol how PGP key 
ID's or emails should be posted.
|

|I assume instructions saying to get a signer's public key from *other* 
sites (& verify it against > one key server or by other means) are to 
minimize risk that hackers could compromise both the signed software and 
the key, if both are on the same server?|

|Some devs seem to put the key ID / |||fingerprint|, email address in 
the key file, itself - like Mozilla.  Key IDs are the last 8 char. in a 
key's fingerprint.  They can be used to search key servers to import 
key(s) (from a different source) to your key ring.|
|This is from inside a Mozilla public key on 
https://ftp.mozilla.org/pub/mozilla.org/firefox/:|
||

|pub   rsa4096 2015-07-17 [SC]
       14F26682D0916CDD81E37B6D61B7B526D98F0353
uid           [  full  ] Mozilla Software Releases <release at mozilla.com>
sub   rsa4096 2015-07-17 [S] [expires: 2017-07-16]
sub   rsa4096 2017-06-22 [S] [expires: 2019-06-22]|

|Note: Mozilla says to verify the public key data elsewhere, because the 
ones on their site could be compromised (maybe call Mozilla devs on the 
bat phone).|

|Thanks.
|

|
|

More information about the Users mailing list