geany
Unable to Verify Keys in Plugins Tarball
Following instructions here: https://plugins.geany.org/downloads.html
Adding the key:
$ gpg --recv-keys 01380DF54FD09D02
gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
Verifying the key:
$ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz
gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT
gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Can't check signature: No public key
This looks lilke it didn't work. What am I doing wrong?
My OS: Ubuntu 22.04.5 LTS
$ uname -srvmpio
Linux 6.8.0-49-generic #49~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Nov 6 17:42:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/allanmacdonald/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Previous version:
$ gpg --recv-keys B7A4039D0630EA07
gpg: key B7A4039D0630EA07: public key "Frank Lanitz <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify geany-plugins-1.38.tar.gz.sig geany-plugins-1.38.tar.gz
gpg: Signature made Sat 09 Oct 2021 10:53:55 AM ADT
gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Can't check signature: No public key
However, this way seems to work:
$ wget https://download.geany.org/frlan-pubkey.txt
$ gpg --import < frlan-pubkey.txt
$ gpg --verify geany-plugins-2.0.tar.gz.sig geany-plugins-2.0.tar.gz
gpg: Signature made Fri 20 Oct 2023 03:18:41 AM ADT
gpg: using EDDSA key 986FA7E80256D3D16F30FB7A01380DF54FD09D02
gpg: Good signature from "Frank Lanitz <[email protected]>" [expired]
gpg: aka "Frank Lanitz <[email protected]>" [expired]
gpg: aka "Frank Lanitz <[email protected]>" [expired]
gpg: aka "Frank Lanitz <[email protected]>" [expired]
gpg: aka "Frank Lanitz <[email protected]>" [expired]
gpg: aka "Frank Lanitz <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 986F A7E8 0256 D3D1 6F30 FB7A 0138 0DF5 4FD0 9D02
@allanwmacdonald so the signature verification worked, I guess. The expired key is nothing bad, important is that it was valid when the signature was created.
I'm just wondering about the first output of retrieving the key:
$ gpg --recv-keys 01380DF54FD09D02
gpg: key 01380DF54FD09D02: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
@frlan was the key not uploaded?
Maybe we should update the instructions to import the key from the file on geany.org?
GnuPG with all the changes done on thunderbird, the interesting CLI and the broken signature (trust) system is kind of broken. It's doing its job, but the tooling is just getting worse every year (imho). I'd suggest to stop using it here. My signature is not more useful as the SSL certificate of the page.
If we would remove it, it would be good to have some good explanation why "it is broken". It would at least seem as removing a layer of security from the release downloads. Also Debian and maybe other distributions as well, use GPG for verifying download integrity.
@frlan could you provide some references and some more detailed reasoning?
Just a short heads up: Still not very happy about the current state of the GPG ecosystem and it's tools, but signing packages is not toooooo complicated etc. I've just created a new key with 3 years validity that will be cross signed and uploaded to the ressource later and will be used for g-p 2.1 release files.