I wanted to verify the install image but can’t find the signing key. I used
gpg --keyserver pgp.mit.edu --keyserver-options auto-key-retrieve --verify yunohost-stretch-3.1.0-rpi-stable.zip.sig
and found a key that had signed the image but how do I know this is really the right key?
Short answer : that should be 0x749d897217351899
Long answer (everything is my personal opinion on the topic) : you can’t ! Or more precisely, the only “truly secure” (sigh) way to know that it is the right key to use is to meet someone from the dev team, who manages the signing of those images, and ask him physically in person what is the fingerprint of the key.
Any other mean will basically be “getting the info through HTTPS” - which is the same protocol you used to get the image in the first place and could be compromised somehow.
Well then, you could also assume that “a reasonably powerful attacker might be able to corrupt the image, but would not be powerful enough to compromise the whole HTTPS stack and / or the pgp.mit.edu server” … and that it might not be powerful enough to impersonate me and craft this answer on your specific topic on this forum… But that’s up to you
You could also check how well this key is cross-signed by other people you trust through the web of trust (but unfortunately I think it is not signed by a lot of people, even us from the dev team…) (and you would get this info through HTTPS).
My opinion is that, yes, HTTPS isn’t great. But the risk of HTTPS being entirely compromised is too low compared to the cost involved in not trusting HTTPS… (at least in this context)
But other people including you might have legitimate counterarguments depending on assumptions/context/threat model ¯\_(ツ)_/¯
Thanks for the explanation. It does give me some reassurance.
I actually imported that key manually though, since it was listed on the security page. However, the zip I downloaded (3.1.0 for Raspberry Pi) was signed by another one supposedly belonging to firstname.lastname@example.org. This one:
pub rsa2048 2012-04-17 [SC]
1904 C5B4 2E48 56DC D4E9 CF96 360A AF32 59A3 E6FF
uid [ unknown] YunoHost <email@example.com>
sub rsa2048 2012-04-17 [E]
Ah, yes indeed, now that you mentionned it, I gave you the wrong one (which is used to discuss security issues ;P) so build@ is the good one .