Closed DC7IA closed 2 years ago
su-ex
commented
2 years ago The problem is that I don't know enough about gpg. I'm simply using a single, isolated key to sign the packages. I couldn't figure out yet the usual/best way to sign commits as well as the apt repo packages across different systems with some sort of my master identity so I don't have a lot of keys that currently end up in a mess. I'm behind supercable.onl, as I'm maintaining SchildiChat Desktop.
SpiritCroc
commented
2 years ago Actually, schildi.chat and apt.supercable.onl are handled by the same server right now afaik. So putting the GPG key on schildi.chat won't really help much if an attacker gains access to that server. (It would help though against an attacker who might manage to let supercable.onl point to a different server, but not schildi.chat.)
DC7IA
commented
2 years ago Actually,
schildi.chatandapt.supercable.onlare handled by the same server right now afaik.
Then I'd like to suggest placing it in the README.md of this repo.
That then helps with verifying the key.
DC7IA
commented
2 years ago I'm simply using a single, isolated key to sign the packages.
Could you please post the public key here for now? Maybe add it to README.md as well.
su-ex
commented
2 years ago Maybe this is, what you want:
pub rsa4096 2020-12-08 [SC]
560BB70DA86A6633A39CEC6023358905FE294D01
uid Super apt repo key <apt@supercable.onl>
sub rsa4096 2020-12-08 [E]Maybe this is, what you want:
Exactly, managed to verify the key. Thank you.
Still, it'd be nice to have it in README.md as well.
su-ex
commented
2 years ago I've added the key to the readme: https://github.com/SchildiChat/schildichat-desktop/commit/7b4678e91d4eb1ba7b32bea1804d8042bd93fb5e
Current instructions for Debian-based systems:
This means that an attacker gaining access to the server can also provide a GPG key. How can I know whether I'm getting the correct package?
Please also provide the GPG key on your website so it can be verified.
Also, who is behind supercable.onl? :thinking: