[Geany-Users] public key

Lex Trotman elextr at xxxxx
Fri Jan 5 23:11:52 UTC 2018 

Some comments:

IIUC Geany signatures should be considered more to be about verifying
your download than about absolute security, although they of course
help.  For security build it yourself from github after appropriate
auditing.

As a small volunteer project, releases are signed by individuals
personal keys and thus are not necessarily widely distributed as say a
Mozilla company release key.  And as you will notice on the page, who
was available to sign the release can vary.  And even the same
individuals key may change over time (for a variety of good/bad
reasons).  So the keys are available on the Geany download page as you
may not be able to find them elsewhere in a timely manner.  If you can
verify the key from an external source, bonus.

Individuals may be less open about making all of their personal emails
available in plaintext than release at mozilla.com is.

Cheers
Lex

On 6 January 2018 at 08:37,  <bendov at gmx.com> wrote:
> On the example page for verifying signatures on signed Geany downloads
> https://www.geany.org/Support/VerifyGPGSignature, it says:
>
>> First, you need to import the public GPG key used to sign the packages.
>> You can download the used public key from:
>> http://download.geany.org/colombanw-pubkey.txt
>>
>> To import the key use:
>>
>> |gpg --import < colombanw-pubkey.txt|
>>
> |I'm not highly skilled in using PGP keys, so I'm asking. |||Though the use
> examples on Geany.org are great!|
> |
>
> |Shouldn't users be importing the signer's public key from a different site
> / server, than where the signed Geany files are?|
>
> |Like from various key servers, using either the Geany signer's *email
> address* or the *8 char. ID* for the key?|
>
> |Colomban Wendling ban at herbesfolles.org.  Colomban didn't list the 8 / 16
> char. key ID (that I saw) - or the email used when the keys were uploaded to
> key servers.
> |
>
> |Should the key ID & email of the key owner be listed in the public key or
> near it,? I don't know if there's a standard protocol how PGP key ID's or
> emails should be posted.
> |
>
> |I assume instructions saying to get a signer's public key from *other*
> sites (& verify it against > one key server or by other means) are to
> minimize risk that hackers could compromise both the signed software and the
> key, if both are on the same server?|
>
> |Some devs seem to put the key ID / |||fingerprint|, email address in the
> key file, itself - like Mozilla.  Key IDs are the last 8 char. in a key's
> fingerprint.  They can be used to search key servers to import key(s) (from
> a different source) to your key ring.|
> |This is from inside a Mozilla public key on
> https://ftp.mozilla.org/pub/mozilla.org/firefox/:|
> ||
>
> |pub   rsa4096 2015-07-17 [SC]
>       14F26682D0916CDD81E37B6D61B7B526D98F0353
> uid           [  full  ] Mozilla Software Releases <release at mozilla.com>
> sub   rsa4096 2015-07-17 [S] [expires: 2017-07-16]
> sub   rsa4096 2017-06-22 [S] [expires: 2019-06-22]|
>
> |Note: Mozilla says to verify the public key data elsewhere, because the
> ones on their site could be compromised (maybe call Mozilla devs on the bat
> phone).|
>
> |Thanks.
> |
>
> |
> |
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list