How to validate the RSA key be used for the .sig files?

fmherschel commented 3 years ago

I like to check the files available under https://github.com/Nitrokey/nitrokey-app/releases but gpg tells me that the used RSA key (public key) is not available.

Application version: [e.g. v1.1 - it is shown in About window]

Releases 1.4.1 and 1.4.2

Operating system: [name, version, 32/64 bits, kernel version (if Linux) ]

Linux

Device model and firmware version: [Pro v0.8/Storage v0.45 etc.]

n/a because pre-install question

Connected USB port type: [1.1/2.0/3.0]

n/a because its a pre-install question

Issue occurrency: [always/sometimes/once]

always (because I always could not find the key at the server)

Steps for reproduction

Preconditions

n/a it is a pre-install question

Steps

Download files from releases including the .sig file
gpg --verify Nitrokey_App-x86_64-v1.4.1.AppImage.sig Nitrokey_App-x86_64-v1.4.1.AppImage => tells me RSA key used is 868184069239FF65DE0BCD7DD9BAE35991DE5B22

Can't check signature: No public key

If I search for key 868184069239FF65DE0BCD7DD9BAE35991DE5B22 on multiple key servers (including the heise search page) I always get key not found.

So how to validate the files under release?

fmherschel commented 3 years ago

After some more research, I did now try key server pgp.mit.edu and this server seams to know the used key. => Closing

szszszsz commented 3 years ago

Hi! Thank you for report! Could you list the servers you have tried? Maybe I could try to push the key by hand there. In theory keys should propagate.

Nitrokey / nitrokey-app