[Geany-Users] public key

Fri, 05 Jan 2018 14:38:49 -0800

On the example page for verifying signatures on signed Geany downloads https://www.geany.org/Support/VerifyGPGSignature, it says:
First, you need to import the public GPG key used to sign the packages. You can download the used public key from: http://download.geany.org/colombanw-pubkey.txt 

To import the key use:

|gpg --import < colombanw-pubkey.txt|


|I'm not highly skilled in using PGP keys, so I'm asking. |||Though the 
use examples on Geany.org are great!|

|


|Shouldn't users be importing the signer's public key from a different 
site / server, than where the signed Geany files are?|



|Like from various key servers, using either the Geany signer's *email 
address* or the *8 char. ID* for the key?|



|Colomban Wendling [email protected].  Colomban didn't list the 8 / 
16 char. key ID (that I saw) - or the email used when the keys were 
uploaded to key servers.

|


|Should the key ID & email of the key owner be listed in the public key 
or near it,? I don't know if there's a standard protocol how PGP key 
ID's or emails should be posted.

|


|I assume instructions saying to get a signer's public key from *other* 
sites (& verify it against > one key server or by other means) are to 
minimize risk that hackers could compromise both the signed software and 
the key, if both are on the same server?|



|Some devs seem to put the key ID / |||fingerprint|, email address in 
the key file, itself - like Mozilla.  Key IDs are the last 8 char. in a 
key's fingerprint.  They can be used to search key servers to import 
key(s) (from a different source) to your key ring.|
|This is from inside a Mozilla public key on 
https://ftp.mozilla.org/pub/mozilla.org/firefox/:|

||

|pub   rsa4096 2015-07-17 [SC]
      14F26682D0916CDD81E37B6D61B7B526D98F0353
uid           [  full  ] Mozilla Software Releases <[email protected]>
sub   rsa4096 2015-07-17 [S] [expires: 2017-07-16]
sub   rsa4096 2017-06-22 [S] [expires: 2019-06-22]|


|Note: Mozilla says to verify the public key data elsewhere, because the 
ones on their site could be compromised (maybe call Mozilla devs on the 
bat phone).|


|Thanks.
|

|
|



_______________________________________________
Users mailing list
[email protected]
https://lists.geany.org/cgi-bin/mailman/listinfo/users






















					Reply via email to