Is it safe to import public key of AppImage package this way without finger print ?

Hi. To verify signature of an AppImage for LibreOffice, we have to download 3 files:

  • AppImage package (available)
  • signature file for that package (available)
  • public key used for this signature

1st 2 files are available from this page:

However, public key not available from this page. User have to run the follwing command:

gpg --verify package-name.AppImage.asc package-name.AppImage

where the output will say verification not possible no public key & show ID of that public key.

Then we should use the following command to import this public key:

gpg --recv-keys

But my question is that: is it safe to import such public key & it’s finger print not already demonstrated on the site page ??!!! I read in Internet that user need to look for fingerprint of IMPORTED public key & compare it to what demonstrated on the site before start to use it to verify downloaded package ! Is this correct or not ?

Please be patient with me, I’m not expert in encryption - see my post in Fedora community forum about similar issue to know my level:

Yes it would be good practice to also publish the fingerprint (or at least long ID) of the key on the same site. To be very sure you may want to ask the publisher for the key’s fingerprint (and tell to publish it…) cryptographically signed.

However, as you obtained the .asc file from the same web site over https you can be fairly sure it matches the creator’s key, unless the web site was hacked or certificate intercepted / MITM attacked, in which case even if the fingerprint was published on the site relying only on one source wouldn’t help either. For such cases it’s good practice to publish the fingerprint on several sites and/or use Keybase to link PGP keys and verified web sites.

Hi. There is now big problem ! I applied "–revc-keys for F-DRoid site & it worked very well. But I tried with the following AppImage key:

& result is:

$ gpg --verify
gpg: Signature made Sat 25 May 2019 06:28:30 AM GMT
gpg: using RSA key D4761B78E365B53D
gpg: Can’t check signature: No public key

$ gpg --recv-keys D4761B78E365B53D
gpg: keyserver receive failed: No data

Please notice that I re-names files into & for ease of use & this have no adverse effects.

Any idea why this error ?

It just says the public key is not on the server you queried. Seems it isn’t published on nor on one of the other servers I tried. Contact the owner.

Something did not work properly, so we have just re-released the public key. If you want to recheck in a few days, if there were any problems let me know.

I have verified the key from the keyserver

Also available in the pool, currently serves a 503 …

For me working solution was to search first with good ol’ google after RSA key, D4761B78E365B53D, find the server with the public key, search D4761B78E365B53D , dont know why is not spotted automagically in the first, and short form, gpg comand and then use that keyserver for key download

gpg --recv-keys D4761B78E365B53D

is not working but

gpg -v --keyserver --recv-keys D4761B78E365B53D

is working!

Talking about safe practices when you work with gpg signatures till you see that

gpg: There is no indication
that the signature belongs to the

any lazy solution like publishing key fingerprints is no more safe that SHA or MD5 values published on the same web page. Is only marginally better because we are lazy

LE: Thinking about erAck advice about i agree is a good advice! Hey Antonio, why you are not on keybase already? Common man, jump in! That way you can publish that gpg keys with more ways, lazy ways not the strict web of trust way, to trust signature fingerprints!