Re: GPG Keys Now Available

General questions or discussion about HandBrake, Video and/or audio transcoding, trends etc.
Post Reply
fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: GPG Keys Now Available

Post by fibruve »

May I suggest that the Key ID and Fingerprint of the GPG signing key be conspicuously posted.
For example, adding them to the forum post and perhaps elsewhere.
viewtopic.php?f=33&t=36386
User avatar
BradleyS
Moderator
Posts: 1860
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS »

Is the GitHub article linked from that forum post not sufficient? OpenPGP
User avatar
BradleyS
Moderator
Posts: 1860
Joined: Thu Aug 09, 2007 12:16 pm

Re: Re: GPG Keys Now Available

Post by BradleyS »

I added the output of

Code: Select all

gpg2 --fingerprint HandBrake
to the article.
fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: Re: GPG Keys Now Available

Post by fibruve »

It may be prudent to have the signing key's fingerprint published in a location that is separate from the service that hosts the signature files.

Currently the signature files are published at HandBrake's github and so is the pub key and fingerprint.
If HandBrake's github is hacked it is easy for the attacker to generate their own fake HandBrake Team key and use it to create signature files for a hacked version of the app. Since the attackers would have access to HandBrake's github they can also alter the wiki page to show the fingerprint of their fake key.

Having the fingerprint published on service that does not share credentials or infrastructure with the signature files lessens the risk of an attackers substituting a fake key and signature files for the real ones.
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Re: GPG Keys Now Available

Post by s55 »

Yeh, we mirror our hashes for that reason. I'll get the GPG page mirrored as well and make sure it links to github.
Post Reply