[Geany-Users] VerifyingDownloadedGeanyAndPlugins
Geoff Kaniuk
geoff at xxxxx
Sat Aug 22 22:43:32 UTC 2020
Many thanks for your detailed response. I had thought the default for
the pgp key generator was to have no expiry date, but perhaps that is
regarded as too risky?
I am happy that everything looks good and I can trust the signature and
key. I now look forward to building geany and plugins ;)
Regards,
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 22/08/2020 16:01, Frank Lanitz wrote:
> Hello,
>
> On 22.08.20 13:41, Geoff Kaniuk wrote:
>
>> ~$ gpg --import B507ACD04BA283C9.asc
>> gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys
>> gpg: key B507ACD04BA283C9: public key "Frank Lanitz <frank at lanitz.info>"
>> imported
>> gpg: Total number processed: 1
>> gpg: imported: 1
>> gpg: no ultimately trusted keys found
>>
>> So I am still at a loss as to what the key issue really is!
>
> Since the last release the key expired. This is a normal thing -- as you
> should not use GPG-keys without any expiration date (IMHO). So this key
> was expired back in April this year. So this is totally fine and will
> not have any impact on verifying the signature (as you are downloading a
> key based on information you got from the same source as the item you
> want to verify it's a weak protection anyway -- but better than none).
> You can still check whether this file was singed with the key -- only
> you should not trust the key itself anymore -- so _maybe_ it was revoked
> due to somebody copied it or for any other reasons. Here, and you have
> to trust into my word, the key just expired. I don't have any knowledge
> of misuse of the key etc as well as the key with 4096 RSA is not a weak
> one. That's why I don't think we need to regenerate the signature.
>
>> I have also run the plugin verify again, and this time get
>> ~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz
>> gpg: Signature made Sat 28 Sep 2019 14:43:54 BST
>> gpg: using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9
>> gpg: Good signature from "Frank Lanitz <frank at lanitz.info>" [expired]
>> gpg: aka "Frank Lanitz <frank at mxsrv.org>" [expired]
>> gpg: aka "Frank Lanitz <frank at geany.org>" [expired]
>> gpg: aka "Frank Lanitz <frlan at fsfe.org>" [expired]
>> gpg: aka "Frank Lanitz <frank.lanitz at seznam.cz>" [expired]
>> gpg: aka "Frank Lanitz <frank at frank.uvena.de>" [expired]
>> gpg: Note: This key has expired!
>> Primary key fingerprint: 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9
>> ------------------------------------------------------------------------
>
> Looks good for me.
>
>> By the way the key you sent has the format:
>>
>> B507ACD04BA283C9.asc
>> ========================================================================
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>
>> mQINBF ...
>> ...
>> LqGnsF6TxzGwPm8R6w40V5I67rfdbQ==
>> =YjsN
>> -----END PGP PUBLIC KEY BLOCK-----
>> ========================================================================
>
> Yes. This is the typical format for exchanging PGP-keys when using the
> ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format)
> or SSL-certificates. When using gpg --recv-keys the tool is downioading
> about that from the keyservers, too.
>
>> Am I using the correct command to import the key?
>
> Yes.
>
>> It would be good to solve this issue, seeing you have taken the trouble
>> to create the verification process!
>
> Why do you think so?
>
> Cheers,
> Frank
> _______________________________________________
> Users mailing list
> Users at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/users
>
More information about the Users
mailing list