I just tried using the command from @Gofannon’s linked Ubuntu tutorial page above, and replacing the default Ubuntu filenames with our YunoHost filenames, as follows…
$ gpg --keyid-format long --verify yunohost-buster-126.96.36.199-rpi-stable.img.zip.sig yunohost-buster-188.8.131.52-rpi-stable.img.zip
However, this returned the following error…
gpg: Signature made Mon 22 Feb 2021 12:36:41 NZDT
gpg: using RSA key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Can't check signature: No public key
From the Ubuntu tutorial page, the next step would be to obtain the public key from a keyserver. I spoke to @tituspijean on IRC about this, and they pointed me to this public key on GitHub. Now I need to learn what to do with it, as it isn’t in the form that the Ubuntu tutorial page is expecting…
From this, it looks like I need to know the location of the keyserver. I assume there is an alternative method for importing the public key into my keychain. I’ll keep looking.
EDIT: Next I downloaded this public key from GitHub, as recommended by @tituspijean, and saved it as a text file called
yunohost-security-team.gpg on my local computer. Then I ran the following command, which I got from this page on the GnuPG documentation site…
$ gpg --import yunohost-security-team.gpg
gpg: key 749D897217351899: public key "YunoHost Security <firstname.lastname@example.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Aha! Look at that, I now have an email address that I can use for validating, and I have the key itself in my keychain. I’ll follow the rest of the instructions on that page, and see how it goes.
EDIT: So, the next step is to validate the YunoHost Security Team’s public key. Here’s what I did, and the result of it…
$ gpg --edit-key email@example.com
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
created: 2016-07-01 expires: never usage: SC
trust: unknown validity: unknown
created: 2016-07-01 expires: never usage: E
[ unknown] (1). YunoHost Security <firstname.lastname@example.org>
unknown values are not very inspiring! Alarm bells ringing here!