Where can I find the signing key for the install images?

I wanted to verify the install image but can’t find the signing key. I used

gpg --keyserver pgp.mit.edu --keyserver-options auto-key-retrieve --verify yunohost-stretch-3.1.0-rpi-stable.zip.sig 

and found a key that had signed the image but how do I know this is really the right key?

1 Like

Short answer : that should be 0x749d897217351899

Long answer (everything is my personal opinion on the topic) : you can’t ! Or more precisely, the only “truly secure” (sigh) way to know that it is the right key to use is to meet someone from the dev team, who manages the signing of those images, and ask him physically in person what is the fingerprint of the key.

Any other mean will basically be “getting the info through HTTPS” - which is the same protocol you used to get the image in the first place and could be compromised somehow.

Well then, you could also assume that “a reasonably powerful attacker might be able to corrupt the image, but would not be powerful enough to compromise the whole HTTPS stack and / or the pgp.mit.edu server” … and that it might not be powerful enough to impersonate me and craft this answer on your specific topic on this forum… But that’s up to you :smile:

You could also check how well this key is cross-signed by other people you trust through the web of trust (but unfortunately I think it is not signed by a lot of people, even us from the dev team…) (and you would get this info through HTTPS).

My opinion is that, yes, HTTPS isn’t great. But the risk of HTTPS being entirely compromised is too low compared to the cost involved in not trusting HTTPS… (at least in this context)

But other people including you might have legitimate counterarguments depending on assumptions/context/threat model ¯\_(ツ)_/¯

1 Like

Thanks for the explanation. It does give me some reassurance.

I actually imported that key manually though, since it was listed on the security page. However, the zip I downloaded (3.1.0 for Raspberry Pi) was signed by another one supposedly belonging to build@yunohost.org. This one:

pub   rsa2048 2012-04-17 [SC]
      1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF
uid           [ unknown] YunoHost <build@yunohost.org>
sub   rsa2048 2012-04-17 [E]
1 Like

Ah, yes indeed, now that you mentionned it, I gave you the wrong one (which is used to discuss security issues ;P) so build@ is the good one :sweat_smile: .

1 Like