[Geany-Users] VerifyingDownloadedGeanyAndPlugins

Frank Lanitz frank at xxxxx
Sat Aug 22 15:01:25 UTC 2020 

Hello,

On 22.08.20 13:41, Geoff Kaniuk wrote:

> ~$ gpg --import B507ACD04BA283C9.asc
> gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys
> gpg: key B507ACD04BA283C9: public key "Frank Lanitz <frank at lanitz.info>"
> imported
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: no ultimately trusted keys found
> 
> So I am still at a loss as to what the key issue really is!

Since the last release the key expired. This is a normal thing -- as you
should not use GPG-keys without any expiration date (IMHO). So this key
was expired back in April this year. So this is totally fine and will
not have any impact on verifying the signature (as you are downloading a
key based on information you got from the same source as the item you
want to verify it's a weak protection anyway -- but better than none).
You can still check whether this file was singed with the key -- only
you should not trust the key itself anymore -- so _maybe_ it was revoked
due to somebody copied it or for any other reasons. Here, and you have
to trust into my word, the key just expired. I don't have any knowledge
of misuse of the key etc as well as the key with 4096 RSA is not a weak
one. That's why I don't think we need to regenerate the signature.

> I have also run the plugin verify again, and this time get
> ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz
> gpg: Signature made Sat 28 Sep 2019 14:43:54 BST
> gpg:                using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9
> gpg: Good signature from "Frank Lanitz <frank at lanitz.info>" [expired]
> gpg:                 aka "Frank Lanitz <frank at mxsrv.org>" [expired]
> gpg:                 aka "Frank Lanitz <frank at geany.org>" [expired]
> gpg:                 aka "Frank Lanitz <frlan at fsfe.org>" [expired]
> gpg:                 aka "Frank Lanitz <frank.lanitz at seznam.cz>" [expired]
> gpg:                 aka "Frank Lanitz <frank at frank.uvena.de>" [expired]
> gpg: Note: This key has expired!
> Primary key fingerprint: 6D0E 68FC E198 824C 27C9  0EB0 B507 ACD0 4BA2 83C9
> ------------------------------------------------------------------------

Looks good for me.

> By the way the key you sent has the format:
> 
> B507ACD04BA283C9.asc
> ========================================================================
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> mQINBF ...
> ...
> LqGnsF6TxzGwPm8R6w40V5I67rfdbQ==
> =YjsN
> -----END PGP PUBLIC KEY BLOCK-----
> ========================================================================

Yes. This is the typical format for exchanging PGP-keys when using the
ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format)
or SSL-certificates. When using gpg --recv-keys the tool is downioading
about that from the keyservers, too.

> Am I using the correct command to import the key?

Yes.

> It would be good to solve this issue, seeing you have taken the trouble
> to create the verification process!

Why do you think so?

Cheers,
Frank

More information about the Users mailing list