Ask Your Question
0

Is it safe to import public key of AppImage package this way without finger print ?

asked 2019-06-04 16:41:20 +0200

Nokia808 gravatar image

Hi. To verify signature of an AppImage for LibreOffice, we have to download 3 files:

  • AppImage package (available)
  • signature file for that package (available)
  • public key used for this signature

1st 2 files are available from this page: https://libreoffice.soluzioniopen.com...

However, public key not available from this page. User have to run the follwing command:

gpg --verify package-name.AppImage.asc package-name.AppImage

where the output will say verification not possible no public key & show ID of that public key.

Then we should use the following command to import this public key:

gpg --recv-keys <key-id>

But my question is that: is it safe to import such public key & it's finger print not already demonstrated on the site page ??!!! I read in Internet that user need to look for fingerprint of IMPORTED public key & compare it to what demonstrated on the site before start to use it to verify downloaded package ! Is this correct or not ?

Please be patient with me, I'm not expert in encryption - see my post in Fedora community forum about similar issue to know my level: https://forums.fedoraforum.org/showth...

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2019-08-13 00:39:52 +0200

totedati gravatar image

updated 2019-08-13 01:01:09 +0200

For me working solution was to search first with good ol' google after RSA key, D4761B78E365B53D, find the server with the public key, sks-keyservers.net search D4761B78E365B53D , dont know why is not spotted automagically in the first, and short form, gpg comand and then use that keyserver for key download

gpg --recv-keys D4761B78E365B53D

is not working but

gpg -v --keyserver sks-keyservers.net --recv-keys D4761B78E365B53D

is working!

Talking about safe practices when you work with gpg signatures till you see that

gpg: There is no indication that the signature belongs to the owner.

any lazy solution like publishing key fingerprints is no more safe that SHA or MD5 values published on the same web page. Is only marginally better because we are lazy

LE: Thinking about erAck advice about keybase.io i agree is a good advice! Hey Antonio, why you are not on keybase already? Common man, jump in! That way you can publish that gpg keys with more ways, lazy ways not the strict web of trust way, to trust signature fingerprints!

edit flag offensive delete link more
0

answered 2019-06-05 13:37:15 +0200

erAck gravatar image

Yes it would be good practice to also publish the fingerprint (or at least long ID) of the key on the same site. To be very sure you may want to ask the publisher for the key's fingerprint (and tell to publish it..) cryptographically signed.

However, as you obtained the .asc file from the same web site over https you can be fairly sure it matches the creator's key, unless the web site was hacked or certificate intercepted / MITM attacked, in which case even if the fingerprint was published on the site relying only on one source wouldn't help either. For such cases it's good practice to publish the fingerprint on several sites and/or use Keybase to link PGP keys and verified web sites.

edit flag offensive delete link more

Comments

Hi. There is now big problem ! I applied "--revc-keys <key-id> for F-DRoid site & it worked very well. But I tried with the following AppImage key:

https://libreoffice.soluzioniopen.com...

& result is:

$ gpg --verify libreoffice.ai.asc libreoffice.ai gpg: Signature made Sat 25 May 2019 06:28:30 AM GMT gpg: using RSA key D4761B78E365B53D gpg: Can't check signature: No public key

$ gpg --recv-keys D4761B78E365B53D gpg: keyserver receive failed: No data

Please notice that I re-names files into libreoffice.ai.asc & libreoffice.ai for ease of use & this have no adverse effects.

Any idea why this error ?

Nokia808 gravatar imageNokia808 ( 2019-06-06 11:21:14 +0200 )edit

It just says the public key is not on the server you queried. Seems it isn't published on sks-keyservers.net nor on one of the other servers I tried. Contact the owner.

erAck gravatar imageerAck ( 2019-06-06 19:23:46 +0200 )edit

Something did not work properly, so we have just re-released the public key. If you want to recheck in a few days, if there were any problems let me know.

Antonio Faccioli gravatar imageAntonio Faccioli ( 2019-06-08 09:25:21 +0200 )edit

I have verified the key from the keyserver pgp.key-server.io

Antonio Faccioli gravatar imageAntonio Faccioli ( 2019-06-08 09:51:09 +0200 )edit

Also available in the pool, pgp.key-server.io currently serves a 503 ...

erAck gravatar imageerAck ( 2019-06-11 17:47:14 +0200 )edit
Login/Signup to Answer

Question Tools

1 follower

Stats

Asked: 2019-06-04 16:41:20 +0200

Seen: 61 times

Last updated: Aug 13