When querying the security.txt, I get the recommendation that I should still sign the file, although a signature is available.
I then checked the signing with the following script and found no error:
# URLs of the files
SECURITY_TXT_URL="https://my.domain/.well-known/security.txt"
SIGNATURE_URL="https://my.domain/.well-known/security.txt.asc"
KEY_URL="https://my.domain/pgp-key.asc"
# Names of the local files
SECURITY_TXT="security.txt"
SIGNATURE="security.txt.asc"
KEY="pgp-key.asc"
# Download files
curl -o $SECURITY_TXT $SECURITY_TXT_URL
curl -o $SIGNATURE $SIGNATURE_URL
curl -o $KEY $KEY_URL
# Check the MIME type of the signature file
mime_type=$(curl -sI $SIGNATURE_URL | grep -i "Content-Type" | awk '{print $2}' | tr -d '\r')
if [ "$mime_type" != "application/pgp-signature" ]; then
echo "Invalid MIME type for the signature file: $mime_type"
exit 1
fi
# Import GPG key
gpg --import $KEY
# Verify signature
gpg --verify $SIGNATURE $SECURITY_TXT
# Show result
if [ $? -eq 0 ]; then
echo "Signature is valid."
else
echo "Signature is invalid."
fi
What could be the reason that sectxt returns not_signed as status or recommendation?
When querying the security.txt, I get the recommendation that I should still sign the file, although a signature is available.
I then checked the signing with the following script and found no error:
What could be the reason that sectxt returns not_signed as status or recommendation?
My security.txt looks like this: