PGP Signing key location?

[kklash]

I can't find your PGP signing keys published on any major keyserver or on your website. I don't see them on your releases page or elsewhere. You have published the key IDs but not the public keys themselves.

This would seem to make the signatures rather pointless if users can't store the public keys and verify each new release using them, nor can we verify if your PGP keys have trusted signatures on them. Assuming an attacker gains control of your website or github repo, they can just change the key ID's to be whatever key ID suits them, and make impostor signatures.

[dstftw]

phihag https://phihag.de/keys/A4826A18.asc
dstftw https://dstftw.github.io/keys/18A9236D.asc

[Clanwarz]

Sergey, your sig is bad mate.

root@newyork /usr/local/bin # wget https://phihag.de/keys/A4826A18.asc https://dstftw.github.io/keys/18A9236D.asc

Saving to: ‘A4826A18.asc’

Saving to: ‘18A9236D.asc’

Downloaded: 2 files, 8.3K in 0.001s (10.6 MB/s)


root@newyork /usr/local/bin # gpg --import 18A9236D.asc A4826A18.asc
gpg: key 18A9236D: "Sergey M. <dstftw@gmail.com>" not changed
gpg: key A4826A18: "Philipp Hagemeister <phihag@phihag.de>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

root@newyork /usr/local/bin # gpg --verify /usr/local/bin/youtube-dl.sig /usr/local/bin/youtube-dl
gpg: Signature made Fri 07 Sep 2018 04:44:28 PM EDT using RSA key ID 18A9236D
gpg: BAD signature from "Sergey M. <dstftw@gmail.com>"