Deblib wrote:Hello!
When I try to verify F-Droid Privileged extension org.fdroid.fdroid.privileged.ota_2090.zip with GPG tells me this the key has expired. [
Code: Select all
b][i][u]Should I trust this file?[/u][/i][/b]
Code: Select all
$ gpg --verify org.fdroid.fdroid.privileged.ota_2090.zip.asc org.fdroid.fdroid.privileged.ota_2090.zip
gpg: Signature made mar 05 feb 2019 12:59:36 CET
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid <admin@f-droid.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Subkey fingerprint: 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
No you shouldn't if you're wanting to use GPG properly.
Also taking anyones advice to just trust it because they found a link saying it is ok without investigation into the matter on your own is a very bad practice.
Contact the developers and see what they have to say would be the first step.
Then you have to be sure you can trust what they say and verify that it is actually them that you are communicating with.
If you read up on GPG you will find that it is built on a web of trust and if you can't 100% trust what you are reading or using then you shouldn't do it.
So don't you use it for now and investigate the matter.
I understand that this sounds like a lot of work or trouble but if you want security you can't just dive in and hope for the best.
The easier something is the less secure it is and you can't have both in my experience.