Hi. To verify signature of an AppImage for LibreOffice, we have to download 3 files:
- AppImage package (available)
- signature file for that package (available)
- public key used for this signature
1st 2 files are available from this page:
However, public key not available from this page. User have to run the follwing command:
gpg --verify package-name.AppImage.asc package-name.AppImage
where the output will say verification not possible no public key & show ID of that public key.
Then we should use the following command to import this public key:
But my question is that: is it safe to import such public key & it’s finger print not already demonstrated on the site page ??!!! I read in Internet that user need to look for fingerprint of IMPORTED public key & compare it to what demonstrated on the site before start to use it to verify downloaded package ! Is this correct or not ?
Please be patient with me, I’m not expert in encryption - see my post in Fedora community forum about similar issue to know my level: