May I suggest that the Key ID and Fingerprint of the GPG signing key be conspicuously posted.
For example, adding them to the forum post and perhaps elsewhere.
viewtopic.php?f=33&t=36386
Re: GPG Keys Now Available
Re: Re: GPG Keys Now Available
Is the GitHub article linked from that forum post not sufficient? OpenPGP
Re: Re: GPG Keys Now Available
I added the output of to the article.
Code: Select all
gpg2 --fingerprint HandBrake
Re: Re: GPG Keys Now Available
It may be prudent to have the signing key's fingerprint published in a location that is separate from the service that hosts the signature files.
Currently the signature files are published at HandBrake's github and so is the pub key and fingerprint.
If HandBrake's github is hacked it is easy for the attacker to generate their own fake HandBrake Team key and use it to create signature files for a hacked version of the app. Since the attackers would have access to HandBrake's github they can also alter the wiki page to show the fingerprint of their fake key.
Having the fingerprint published on service that does not share credentials or infrastructure with the signature files lessens the risk of an attackers substituting a fake key and signature files for the real ones.
Currently the signature files are published at HandBrake's github and so is the pub key and fingerprint.
If HandBrake's github is hacked it is easy for the attacker to generate their own fake HandBrake Team key and use it to create signature files for a hacked version of the app. Since the attackers would have access to HandBrake's github they can also alter the wiki page to show the fingerprint of their fake key.
Having the fingerprint published on service that does not share credentials or infrastructure with the signature files lessens the risk of an attackers substituting a fake key and signature files for the real ones.
Re: Re: GPG Keys Now Available
Yeh, we mirror our hashes for that reason. I'll get the GPG page mirrored as well and make sure it links to github.