johays
commented
21 hours ago related to https://github.com/ossec/ossec-hids/issues/1046 The post suggest that the key is located here: https://www.ossec.net/files/OSSEC-ARCHIVE-KEY.asc This proves true and works, I now get a valid signature.
HOWEVER I think this should be public information available at https://www.ossec.net/download-ossec/ , not forcing users to dig through old issues on github to be able to verify a signature.
gpg: key EE1B0E6B2D8387B7: public key "Scott R. Shinn <scott@atomicorp.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
user@host:~/Downloads$ gpg --verify ossec-hids-3.7.0.tar.gz.asc
gpg: assuming signed data in 'ossec-hids-3.7.0.tar.gz'
gpg: Signature made Mon 17 Jan 2022 05:09:10 PM CET
gpg: using RSA key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <scott@atomicorp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0 5FAD EE1B 0E6B 2D83 87B7
Trying to install OSSEC on a fresh Debian 12 system. I would like to verify the package before running the installer on my system.
While there is a GPG-signature provided for the .tar.gz file found on https://www.ossec.net/download-ossec/ , there is no apparent pointer where/how to get the corresponding public key used in the signature (https://github.com/ossec/ossec-hids/releases/download/3.7.0/ossec-hids-3.7.0.tar.gz.asc)
A simple
gpg --recv-keyfor the key-ID gives an "contains no user ID" error (see below).Any ideas where I might find the corresponding key?
Suggestion: to include the public key used for signing next to the signature-file in https://www.ossec.net/download-ossec/ or supply a CLI one-liner how to import it in a somewhat trustworthy manner.
For inspiration: here is how Linux Mint and The Tor Project guides their users to import GPG-keys and verify signatures.