Some comments: IIUC Geany signatures should be considered more to be about verifying your download than about absolute security, although they of course help. For security build it yourself from github after appropriate auditing.
As a small volunteer project, releases are signed by individuals personal keys and thus are not necessarily widely distributed as say a Mozilla company release key. And as you will notice on the page, who was available to sign the release can vary. And even the same individuals key may change over time (for a variety of good/bad reasons). So the keys are available on the Geany download page as you may not be able to find them elsewhere in a timely manner. If you can verify the key from an external source, bonus. Individuals may be less open about making all of their personal emails available in plaintext than [email protected] is. Cheers Lex On 6 January 2018 at 08:37, <[email protected]> wrote: > On the example page for verifying signatures on signed Geany downloads > https://www.geany.org/Support/VerifyGPGSignature, it says: > >> First, you need to import the public GPG key used to sign the packages. >> You can download the used public key from: >> http://download.geany.org/colombanw-pubkey.txt >> >> To import the key use: >> >> |gpg --import < colombanw-pubkey.txt| >> > |I'm not highly skilled in using PGP keys, so I'm asking. |||Though the use > examples on Geany.org are great!| > | > > |Shouldn't users be importing the signer's public key from a different site > / server, than where the signed Geany files are?| > > |Like from various key servers, using either the Geany signer's *email > address* or the *8 char. ID* for the key?| > > |Colomban Wendling [email protected]. Colomban didn't list the 8 / 16 > char. key ID (that I saw) - or the email used when the keys were uploaded to > key servers. > | > > |Should the key ID & email of the key owner be listed in the public key or > near it,? I don't know if there's a standard protocol how PGP key ID's or > emails should be posted. > | > > |I assume instructions saying to get a signer's public key from *other* > sites (& verify it against > one key server or by other means) are to > minimize risk that hackers could compromise both the signed software and the > key, if both are on the same server?| > > |Some devs seem to put the key ID / |||fingerprint|, email address in the > key file, itself - like Mozilla. Key IDs are the last 8 char. in a key's > fingerprint. They can be used to search key servers to import key(s) (from > a different source) to your key ring.| > |This is from inside a Mozilla public key on > https://ftp.mozilla.org/pub/mozilla.org/firefox/:| > || > > |pub rsa4096 2015-07-17 [SC] > 14F26682D0916CDD81E37B6D61B7B526D98F0353 > uid [ full ] Mozilla Software Releases <[email protected]> > sub rsa4096 2015-07-17 [S] [expires: 2017-07-16] > sub rsa4096 2017-06-22 [S] [expires: 2019-06-22]| > > |Note: Mozilla says to verify the public key data elsewhere, because the > ones on their site could be compromised (maybe call Mozilla devs on the bat > phone).| > > |Thanks. > | > > | > | > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.geany.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.geany.org/cgi-bin/mailman/listinfo/users
