You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is signed by a subkey of one of the keys on that keys page.
You need to gpg --recv-keys them all and then do verify, like this (I suspected it was aveen's key):
$ gpg --recv-keys 1d7308b0055f5aef36944a8f27a9c24d9588ea0f
$ gpg --verify yubihsm2-sdk-2023-01-darwin-amd64.pkg.sig
gpg: assuming signed data in 'yubihsm2-sdk-2023-01-darwin-amd64.pkg'
gpg: Signature made Tue 24 Jan 2023 07:25:45 PM CET
gpg: using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694 4A8F 27A9 C24D 9588 EA0F
Subkey fingerprint: A8CE 1679 14EE E232 B923 7B54 10CA C496 2E03 C7CC
It does say that on that keys page but might be easy to miss.
Verifying signatures with GnuPG
The list above lists primary key fingerprints, but GnuPG may print a subkey fingerprint
if you attempt to verify a signature made with an unknown key. You can use
gpg --recv-keys to download the necessary key.`
The trouble with --recv-key is implies trust ? Might be better to publish an aggregated file of all keys that could be downloaded and imported in one go ?
I downloaded yubihsm2-sdk-2023-01-darwin-amd64.pkg and the associated sig file from the website
However its signed by
A8CE167914EEE232B9237B5410CAC4962E03C7CC
which is nowhere to be seen on the keys pageThe text was updated successfully, but these errors were encountered: