Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing keys need updating on website #357

Open
udf2457 opened this issue Aug 7, 2023 · 2 comments
Open

Signing keys need updating on website #357

udf2457 opened this issue Aug 7, 2023 · 2 comments

Comments

@udf2457
Copy link

udf2457 commented Aug 7, 2023

I downloaded yubihsm2-sdk-2023-01-darwin-amd64.pkg and the associated sig file from the website

However its signed by A8CE167914EEE232B9237B5410CAC4962E03C7CC which is nowhere to be seen on the keys page

@nevun
Copy link
Contributor

nevun commented Aug 8, 2023

It is signed by a subkey of one of the keys on that keys page.

You need to gpg --recv-keys them all and then do verify, like this (I suspected it was aveen's key):

$ gpg --recv-keys 1d7308b0055f5aef36944a8f27a9c24d9588ea0f
$ gpg --verify yubihsm2-sdk-2023-01-darwin-amd64.pkg.sig
gpg: assuming signed data in 'yubihsm2-sdk-2023-01-darwin-amd64.pkg'
gpg: Signature made Tue 24 Jan 2023 07:25:45 PM CET
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694  4A8F 27A9 C24D 9588 EA0F
     Subkey fingerprint: A8CE 1679 14EE E232 B923  7B54 10CA C496 2E03 C7CC

It does say that on that keys page but might be easy to miss.

Verifying signatures with GnuPG

The list above lists primary key fingerprints, but GnuPG may print a subkey fingerprint 
if you attempt to verify a signature made with an unknown key. You can use 
gpg --recv-keys to download the necessary key.`

@udf2457
Copy link
Author

udf2457 commented Aug 8, 2023

I see, thanks @nevun .

The trouble with --recv-key is implies trust ? Might be better to publish an aggregated file of all keys that could be downloaded and imported in one go ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants