Re: GPG Keys Now Available

General discussion of HandBrake - not for tech support
Forum rules
Activity Log is required for support requests. See Must Read: How To Get Questions Answered on These Forums for details
Post Reply
fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: GPG Keys Now Available

Post by fibruve » Thu May 18, 2017 3:38 am

May I suggest that the Key ID and Fingerprint of the GPG signing key be conspicuously posted.
For example, adding them to the forum post and perhaps elsewhere.
viewtopic.php?f=33&t=36386

User avatar
BradleyS
Moderator
Posts: 858
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS » Thu May 18, 2017 11:30 am

Is the GitHub article linked from that forum post not sufficient? OpenPGP

User avatar
BradleyS
Moderator
Posts: 858
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS » Thu May 18, 2017 11:38 am

I added the output of

Code: Select all

gpg2 --fingerprint HandBrake
to the article.

fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: Re: GPG Keys Now Available

Post by fibruve » Fri May 19, 2017 4:28 am

It may be prudent to have the signing key's fingerprint published in a location that is separate from the service that hosts the signature files.

Currently the signature files are published at HandBrake's github and so is the pub key and fingerprint.
If HandBrake's github is hacked it is easy for the attacker to generate their own fake HandBrake Team key and use it to create signature files for a hacked version of the app. Since the attackers would have access to HandBrake's github they can also alter the wiki page to show the fingerprint of their fake key.

Having the fingerprint published on service that does not share credentials or infrastructure with the signature files lessens the risk of an attackers substituting a fake key and signature files for the real ones.

User avatar
s55
HandBrake Team
Posts: 8751
Joined: Sun Dec 24, 2006 1:05 pm

Re: Re: GPG Keys Now Available

Post by s55 » Fri May 19, 2017 6:25 pm

Yeh, we mirror our hashes for that reason. I'll get the GPG page mirrored as well and make sure it links to github.

Post Reply