Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to Verify Keys in Plugins Tarball #1391

Open
allanwmacdonald opened this issue Nov 27, 2024 · 6 comments
Open

Unable to Verify Keys in Plugins Tarball #1391

allanwmacdonald opened this issue Nov 27, 2024 · 6 comments

Comments

@allanwmacdonald
Copy link

Following instructions here: https://plugins.geany.org/downloads.html

Adding the key:

$ gpg --recv-keys 01380DF54FD09D02
gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Verifying the key:

$ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz
gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT
gpg:                using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Can't check signature: No public key

This looks lilke it didn't work. What am I doing wrong?

My OS: Ubuntu 22.04.5 LTS

$ uname -srvmpio
Linux 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov  6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/allanmacdonald/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
@allanwmacdonald
Copy link
Author

Previous version:

$ gpg --recv-keys B7A4039D0630EA07
gpg: key B7A4039D0630EA07: public key "Frank Lanitz <frank.lanitz@seznam.cz>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify geany-plugins-1.38.tar.gz.sig geany-plugins-1.38.tar.gz
gpg: Signature made Sat 09 Oct 2021 10:53:55 AM ADT
gpg:                using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Can't check signature: No public key

However, this way seems to work:

$ wget https://download.geany.org/frlan-pubkey.txt
$ gpg --import < frlan-pubkey.txt
$ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz 
gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT
gpg:                using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Good signature from "Frank Lanitz <frank@lanitz.info>" [expired]
gpg:                 aka "Frank Lanitz <frlan@fsfe.org>" [expired]
gpg:                 aka "Frank Lanitz <frank.lanitz@seznam.cz>" [expired]
gpg:                 aka "Frank Lanitz <frank@frank.uvena.de>" [expired]
gpg:                 aka "Frank Lanitz <frank@mxsrv.org>" [expired]
gpg:                 aka "Frank Lanitz <frank@geany.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 986F A7E8 0256 D3D1 6F30  FB7A 0138 0DF5 4FD0 9D02

@eht16
Copy link
Member

eht16 commented Nov 30, 2024

@allanwmacdonald so the signature verification worked, I guess.
The expired key is nothing bad, important is that it was valid when the signature was created.

I'm just wondering about the first output of retrieving the key:

$ gpg --recv-keys 01380DF54FD09D02
gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

@frlan was the key not uploaded?

Maybe we should update the instructions to import the key from the file on geany.org?

@frlan
Copy link
Member

frlan commented Nov 30, 2024

GnuPG with all the changes done on thunderbird, the interesting CLI and the broken signature (trust) system is kind of broken. It's doing its job, but the tooling is just getting worse every year (imho). I'd suggest to stop using it here. My signature is not more useful as the SSL certificate of the page.

@eht16
Copy link
Member

eht16 commented Jan 5, 2025

@frlan Then we should remove it altogether?

@frlan
Copy link
Member

frlan commented Jan 7, 2025

@eht16 I'd vote for it.

@eht16
Copy link
Member

eht16 commented Jan 12, 2025

If we would remove it, it would be good to have some good explanation why "it is broken". It would at least seem as removing a layer of security from the release downloads.
Also Debian and maybe other distributions as well, use GPG for verifying download integrity.

@frlan could you provide some references and some more detailed reasoning?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants