Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PGP Signing key location? #19199

Closed
kklash opened this issue Feb 12, 2019 · 2 comments
Closed

PGP Signing key location? #19199

kklash opened this issue Feb 12, 2019 · 2 comments

Comments

@kklash
Copy link

@kklash kklash commented Feb 12, 2019

I can't find your PGP signing keys published on any major keyserver or on your website. I don't see them on your releases page or elsewhere. You have published the key IDs but not the public keys themselves.

This would seem to make the signatures rather pointless if users can't store the public keys and verify each new release using them, nor can we verify if your PGP keys have trusted signatures on them. Assuming an attacker gains control of your website or github repo, they can just change the key ID's to be whatever key ID suits them, and make impostor signatures.

@Clanwarz
Copy link

@Clanwarz Clanwarz commented Oct 24, 2019

Sergey, your sig is bad mate.

root@newyork /usr/local/bin # wget https://phihag.de/keys/A4826A18.asc https://dstftw.github.io/keys/18A9236D.asc

Saving to: ‘A4826A18.asc’

Saving to: ‘18A9236D.asc’

Downloaded: 2 files, 8.3K in 0.001s (10.6 MB/s)


root@newyork /usr/local/bin # gpg --import 18A9236D.asc A4826A18.asc
gpg: key 18A9236D: "Sergey M. <dstftw@gmail.com>" not changed
gpg: key A4826A18: "Philipp Hagemeister <phihag@phihag.de>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

root@newyork /usr/local/bin # gpg --verify /usr/local/bin/youtube-dl.sig /usr/local/bin/youtube-dl
gpg: Signature made Fri 07 Sep 2018 04:44:28 PM EDT using RSA key ID 18A9236D
gpg: BAD signature from "Sergey M. <dstftw@gmail.com>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.