Eric Duncan wrote on Mon, Feb 13, 2023 at 07:10:50PM -0500: > I am trying to verify busybox downloads with the signature file. > > https://www.busybox.net/downloads/busybox-1.36.0.tar.bz2 > https://www.busybox.net/downloads/busybox-1.36.0.tar.bz2.sig > > $ gpg --verify busybox-1.36.0.tar.bz2.sig > gpg: assuming signed data in 'busybox-1.36.0.tar.bz2' > gpg: Signature made Tue Jan 3 14:30:09 2023 UTC > gpg: using DSA key C9E9416F76E610DBD09D040F47B70C55ACC9965B > gpg: issuer "vda.li...@googlemail.com" > gpg: Can't check signature: No public key > > I am unable to locate the public key on busybox.net though. Tried > searching public key servers without success: > > gpg --batch --keyserver certserver.pgp.com --recv-keys C9E9416F76E610DB > gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DB > gpg --batch --keyserver pool.sks-keyservers.net --recv-keys C9E9416F76E610DB
A key's short form isn't the first 8 bytes, it's the first 4 and the last 4. You should always use the long form though as short forms keys collisions are trivial, at which point this works: $ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B gpg: key 47B70C55ACC9965B: "Denis Vlasenko <vda.li...@googlemail.com>" not changed The key can also be found directly on the busybox website: https://busybox.net/~vda/vda_pubkey.gpg Either way, if the files had been compromised an attacker could just sign the file with a new key and you've just downloaded the attacker's key; this trust model is broken. It'll be useful for the next upgrade's onwards. -- Dominique _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox