Verifying with GPG

New to Debian (Or Linux in general)? Ask your questions here!

Verifying with GPG

Postby Deblib » 2019-07-17 07:52

Hello!
When I try to verify F-Droid Privileged extension org.fdroid.fdroid.privileged.ota_2090.zip with GPG tells me this the key has expired. Should I trust this file?
Code: Select all
$ gpg --verify org.fdroid.fdroid.privileged.ota_2090.zip.asc org.fdroid.fdroid.privileged.ota_2090.zip
gpg: Signature made mar 05 feb 2019 12:59:36 CET
gpg:                using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A
Deblib
 
Posts: 107
Joined: 2016-05-14 14:41

Re: Verifying with GPG

Postby ruwolf » 2019-07-17 07:59

Yes, it seems to be OK. F-Droid: Release Channels and Signing Keys
You can send message to admins about it. :-)
User avatar
ruwolf
 
Posts: 392
Joined: 2008-02-18 05:04
Location: Slovakia, Banovce nad Bebravou, Matice slovenskej 1260/4-7

Re: Verifying with GPG

Postby theblueplll » 2019-07-17 19:11

Deblib wrote:Hello!
When I try to verify F-Droid Privileged extension org.fdroid.fdroid.privileged.ota_2090.zip with GPG tells me this the key has expired. [
Code: Select all
b][i][u]Should I trust this file?[/u][/i][/b]

Code: Select all
$ gpg --verify org.fdroid.fdroid.privileged.ota_2090.zip.asc org.fdroid.fdroid.privileged.ota_2090.zip
gpg: Signature made mar 05 feb 2019 12:59:36 CET
gpg:                using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839  4E3E 41E7 044E 1DBA 2E89
     Subkey fingerprint: 802A 9799 0161 1234 6E1F  EFF4 7A02 9E54 DD5D CE7A


No you shouldn't if you're wanting to use GPG properly.

Also taking anyones advice to just trust it because they found a link saying it is ok without investigation into the matter on your own is a very bad practice.

Contact the developers and see what they have to say would be the first step.

Then you have to be sure you can trust what they say and verify that it is actually them that you are communicating with.

If you read up on GPG you will find that it is built on a web of trust and if you can't 100% trust what you are reading or using then you shouldn't do it.

So don't you use it for now and investigate the matter.

I understand that this sounds like a lot of work or trouble but if you want security you can't just dive in and hope for the best.
The easier something is the less secure it is and you can't have both in my experience.
theblueplll
 
Posts: 154
Joined: 2019-04-29 01:17


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable