Hi. Please look for this topic that opened by me (Nokia808) on Ask LibreOffice: https://ask.libreoffice.org/en/question/196264/is-it-safe-to-import-public-key-of-appimage-package-this-way-without-finger-print/ As you see, public key neither linked on AppImages pages nor uploaded to key server(s), so how can we import it (them - I did not examine all keys IDs from all available signatures) to verify downloaded package(s) ? Kindly to give attention for this issue. I did not see a special e-mail or contact chanal for AppImags packager(s) to contact them directly ....
Something did not work properly, so we have just re-released the public key. I also answered on ASK.
I have verified the key from the keyserver pgp.key-server.io
Hi. I tried 2 times but I received in both error message of failure of server ! See bellow: $ gpg --verify libreoffice.ai.asc libreoffice.ai gpg: Signature made Sat 25 May 2019 06:28:30 AM GMT gpg: using RSA key D4761B78E365B53D gpg: Can't check signature: No public key $ gpg --recv-keys D4761B78E365B53D gpg: keyserver receive failed: Server indicated a failure
Try with gpg --keyserver pgp.key-server.io --recv-keys E365B53D (or gpg2)
Hi, I just downloaded the LibreOffice AppImage, and had to search a lot for the public key, until i finally did this: $ gpg2 --keyserver hkp://keys.gnupg.net --search-keys libreoffice.org And even then, the result was this: $ gpg2 --verify LibreOffice-still.standard-x86_64.AppImage.asc gpg: asumiendo que los datos firmados están en 'LibreOffice-still.standard-x86_64.AppImage' gpg: Firmado el mié 06 may 2020 09:13:32 -03 gpg: usando RSA clave D4761B78E365B53D gpg: Firma correcta de "Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libreoffice.org>" [desconocido] gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza! gpg: No hay indicios de que la firma pertenezca al propietario. Huellas dactilares de la clave primaria: DA5E 52F8 C6C9 DC6F 1473 E903 D476 1B78 E365 B53D So, i don't see how is this fixed. It's supposed to bring trust, otherwise why not just publish the SHA256, that at least is easy to verify, and doesn't shows warnings everywhere? Regards
Hi, could you try again and tell me if it works now? I sent the public key back to the keys.gnupg.net server Regards
I searched for the key with: $ gpg2 --keyserver hkp://keys.gnupg.net --search-keys D4761B78E365B53D gpg: data source: http://192.146.137.140:11371 (1) Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libr 2048 bit RSA key D4761B78E365B53D, creado: 2017-06-17 Keys 1-1 of 1 for "D4761B78E365B53D". Introduzca número(s), O)tro, o F)in > 1 gpg: clave D4761B78E365B53D: clave pública "Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libreoffice.org>" importada gpg: Cantidad total procesada: 1 gpg: importadas: 1 (i imported it) (i had to search that way, because if i search for libreoffice.org there is a LOT of entries) then: $ gpg2 --verify LibreOffice-still.standard-x86_64.AppImage.asc gpg: asumiendo que los datos firmados están en 'LibreOffice-still.standard-x86_64.AppImage' gpg: Firmado el mié 06 may 2020 09:13:32 -03 gpg: usando RSA clave D4761B78E365B53D gpg: Firma correcta de "Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libreoffice.org>" [desconocido] gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza! gpg: No hay indicios de que la firma pertenezca al propietario. Huellas dactilares de la clave primaria: DA5E 52F8 C6C9 DC6F 1473 E903 D476 1B78 E365 B53D I don't know much about gpg2, but shouldn't the following command: $ gpg2 LibreOffice-still.standard-x86_64.AppImage.asc be supposed to find the key by it's own, with no warnings whatsoever?
Sorry, i meant: $ gpg2 --verify LibreOffice-still.standard-x86_64.AppImage.asc gpg: asumiendo que los datos firmados están en 'LibreOffice-still.standard-x86_64.AppImage' gpg: Firmado el mié 06 may 2020 09:13:32 -03 gpg: usando RSA clave D4761B78E365B53D gpg: Firma correcta de "Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libreoffice.org>" [desconocido] gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza! gpg: No hay indicios de que la firma pertenezca al propietario. Huellas dactilares de la clave primaria: DA5E 52F8 C6C9 DC6F 1473 E903 D476 1B78 E365 B53D Still, there's a warning there, and i had to import the RSA key from hkp://keys.gnupg.net . It's supposed to find the key without specifying a server, or importing it, right? ----- Same test, with another LibreOffice version: $ gpg2 --verify LibreOffice-6.3.6.ar.help-x86_64.AppImage.asc gpg: asumiendo que los datos firmados están en 'LibreOffice-6.3.6.ar.help-x86_64.AppImage' gpg: Firmado el mié 06 may 2020 09:31:45 -03 gpg: usando RSA clave D4761B78E365B53D gpg: Firma correcta de "Antonio Faccioli (LibreOffice AppImage Package) <antonio.faccioli@libreoffice.org>" [desconocido] gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza! gpg: No hay indicios de que la firma pertenezca al propietario. Huellas dactilares de la clave primaria: DA5E 52F8 C6C9 DC6F 1473 E903 D476 1B78 E365 B53D Regards.