search

hashbang / hashbang.sh

Public facing website on hashbang.sh with embedded user creation script.
http://hashbang.sh
MIT License
141 stars 22 forks source link

gpg - no indication that the signature belongs to the owner #186

Closed Veraellyunjie closed 9 months ago

Veraellyunjie commented 9 months ago

Not many projects offer verifying their gpg signature, so I am almost ignorant of the procedure and may misinterpret the messages. This is what I got:

$ curl https://hashbang.sh | gpg --verify                                                                
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed                                
100 15186  100 15186    0     0  52988      0 --:--:-- --:--:-- --:--:-- 52912                               
gpg: Signature made Sun May  7 22:41:28 2023 EEST
gpg:                using RSA key 4562BC566932CF1C16F2D7CCD2C4C74D8FAA96F5                                   
gpg: Can't check signature: No public key

Users are offered to verify before obtaining keys. It is suggested a bit later:

$ gpg --recv-keys 0xD2C4C74D8FAA96F5
gpg: keyserver receive failed: Server indicated a failure

Hm, things happen...

$ gpg --recv-keys 0xD2C4C74D8FAA96F5 
gpg: /home/v11e/.gnupg/trustdb.gpg: trustdb created
gpg: key D2C4C74D8FAA96F5: public key "Hashbang Team <team@hashbang.sh>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ curl https://hashbang.sh | gpg -o hashbang.sh
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15186  100 15186    0     0  55613      0 --:--:-- --:--:-- --:--:-- 55830
gpg: Signature made Sun May  7 22:41:28 2023 EEST
gpg:                using RSA key 4562BC566932CF1C16F2D7CCD2C4C74D8FAA96F5
gpg: Good signature from "Hashbang Team <team@hashbang.sh>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4562 BC56 6932 CF1C 16F2  D7CC D2C4 C74D 8FAA 96F5

"Good signature" vs. "not certified". Go guess... or go google... :)

RyanSquared commented 9 months ago

This is a valid concern - there is no proper way (that I know of) for GPG to automatically confirm that the key is actually owned by "team@hashbang.sh", and your local keystore (i.e. an "ultimate" trusted key that you manage) has not signed the hashbang.sh key. Note the text "unknown" in the "Good signature" line. This represents that the key is an unknown key.

The error message you got is that, despite you having a valid signature from the key in your keyring, you do not trust the key. However, you imported the key from a source you trust, and you can verify yourself that the fingerprint matches up. In short: this is working as expected. The signature is valid, it's just that you haven't trusted the key, so you need to look at the fingerprint manually and make sure it matches up.

Note: While there is a Web Key Directory system for OpenPGP, the GPG model of OpenPGP trust does not allow for WKD to be considered an automatically trusted source - while the user ID could verify that it is a valid key from "team@hashbang.sh" (according to the TLS trust model), GPG doesn't have a way to consider a key "valid" without also placing a trust value upon the key.