Many thanks for your detailed response. I had thought the default for
the pgp key generator was to have no expiry date, but perhaps that is
regarded as too risky?
I am happy that everything looks good and I can trust the signature and
key. I now look forward to building geany and plugins ;)
Regards,
Geoff
33 Ashbury Close, Cambridge CB1 3RW 01223 710582
On 22/08/2020 16:01, Frank Lanitz wrote:
Hello,
On 22.08.20 13:41, Geoff Kaniuk wrote:
~$ gpg --import B507ACD04BA283C9.asc
gpg: key B507ACD04BA283C9: 138 signatures not checked due to missing keys
gpg: key B507ACD04BA283C9: public key "Frank Lanitz <fr...@lanitz.info>"
imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
So I am still at a loss as to what the key issue really is!
Since the last release the key expired. This is a normal thing -- as you
should not use GPG-keys without any expiration date (IMHO). So this key
was expired back in April this year. So this is totally fine and will
not have any impact on verifying the signature (as you are downloading a
key based on information you got from the same source as the item you
want to verify it's a weak protection anyway -- but better than none).
You can still check whether this file was singed with the key -- only
you should not trust the key itself anymore -- so _maybe_ it was revoked
due to somebody copied it or for any other reasons. Here, and you have
to trust into my word, the key just expired. I don't have any knowledge
of misuse of the key etc as well as the key with 4096 RSA is not a weak
one. That's why I don't think we need to regenerate the signature.
I have also run the plugin verify again, and this time get
~$ gpg --verify geany-plugins-1.36.tar.gz.sig geany-plugins-1.36.tar.gz
gpg: Signature made Sat 28 Sep 2019 14:43:54 BST
gpg: using RSA key 6D0E68FCE198824C27C90EB0B507ACD04BA283C9
gpg: Good signature from "Frank Lanitz <fr...@lanitz.info>" [expired]
gpg: aka "Frank Lanitz <fr...@mxsrv.org>" [expired]
gpg: aka "Frank Lanitz <fr...@geany.org>" [expired]
gpg: aka "Frank Lanitz <fr...@fsfe.org>" [expired]
gpg: aka "Frank Lanitz <frank.lan...@seznam.cz>" [expired]
gpg: aka "Frank Lanitz <fr...@frank.uvena.de>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 6D0E 68FC E198 824C 27C9 0EB0 B507 ACD0 4BA2 83C9
------------------------------------------------------------------------
Looks good for me.
By the way the key you sent has the format:
B507ACD04BA283C9.asc
========================================================================
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF ...
...
LqGnsF6TxzGwPm8R6w40V5I67rfdbQ==
=YjsN
-----END PGP PUBLIC KEY BLOCK-----
========================================================================
Yes. This is the typical format for exchanging PGP-keys when using the
ASCII-encoding. Something similar is used for SSH-Keys (OpenPGP-format)
or SSL-certificates. When using gpg --recv-keys the tool is downioading
about that from the keyservers, too.
Am I using the correct command to import the key?
Yes.
It would be good to solve this issue, seeing you have taken the trouble
to create the verification process!
Why do you think so?
Cheers,
Frank
_______________________________________________
Users mailing list
Users@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/users
