Gopass Releases public GPG key - Githubissues

gopasspw / gopass

The slightly more awesome standard unix password manager for teams

https://www.gopass.pw/

MIT License

5.93k stars 497 forks source link

Gopass Releases public GPG key #2909

Closed rbreunung closed 3 months ago

rbreunung commented 4 months ago

Summary

Cannot find public gpg key of the gopass releases.

Steps To Reproduce

I want to install gopass using the package provided in Github releases. You do provide a checksum and a .sig file.

What I am missing is the public key to use the .sig file for verification of the release artifacts.

Expected behavior

I would appreciate very much, if you can put a reference to the public gpg key to the installation instructions on your homepage.

Environment

OS: Ubuntu
OS version: 24.04
gopass Version: 1.15.13
Installation method: release page

Additional context

I tried to run

gpg --verify gopass_1.15.13_SHA256SUMS.sig gopass-1.15.13-linux-amd64.tar.gz

With the output.

gpg: Signature made Sat Apr  6 19:44:54 2024 CEST
gpg:                using RSA key C21C8CAD294D35BF5A3BBB15B3C5B1A0560D8522
gpg: Can't check signature: No public key

I did not find a server, where to receive the public key for C21C8CAD294D35BF5A3BBB15B3C5B1A0560D8522.

dominikschulz commented 3 months ago

The question is how valueable an unsigned and untrused release key is ... but I have uploaded it to a bunch of keyservers.