Anssi Saari <
a...@sci.fi> writes:
> Richard Kettlewell <inv...@invalid.invalid> writes:
>> Since the public key is on the same site, it offers no protection at
>> all. Someone who tampered with the ISO would also replace the public
>> key with their own and generate a new signature for the tampered ISO.
>
>> Spiros needs some other trust path to the key, otherwise they will just
>> be wasting their time.
>
> What's a trust path today though? Last time I looked into it, it meant
> getting the public key from the signer in person.
The theory is you trust certain other people to certify the keys of
people that they’ve met, and (potentially) so on for multiple hops. It
seems like it only works well in specific environments.
In this case, the only signatures attached to the ISO signing key are
apparently from other keys owned by the same person. So we have no
evidence that the signing key belongs to anyone in particular, much less
to a legitimate signer of devuan ISOs.
$ gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt
gpg: Signature made Sat 10 Sep 2022 14:45:32 BST
gpg: using RSA key 67F5013216271E85C251E480A73823D3094C5620
gpg: Good signature from "fsmithred (aka fsr) <
fsmi...@gmail.com>" [expired]
gpg: Note: This key has expired!
$ gpg --list-sigs 67F5013216271E85C251E480A73823D3094C5620
pub rsa4096/A73823D3094C5620 2017-10-07 [SC] [expired: 2021-09-20]
67F5013216271E85C251E480A73823D3094C5620
uid [ expired] fsmithred (aka fsr) <
fsmi...@gmail.com>
sig 3 A73823D3094C5620 2017-10-07 fsmithred (aka fsr) <
fsmi...@gmail.com>
sig 632FA518ACDCBE05 2017-10-07 fsmithred <
fsmi...@gmail.com>
sig 3 A73823D3094C5620 2018-09-09 fsmithred (aka fsr) <
fsmi...@gmail.com>
sig 3 A73823D3094C5620 2019-09-21 fsmithred (aka fsr) <
fsmi...@gmail.com>
So I think you’re out of luck for a GPG-based trust path.
> For practical purposes keyservers are used and are presumably somewhat
> more reliable than a public key stored with a download. But how much
> more reliable?
It would be less reliable. Key servers are there to transport keys, not
to certify them.
--
http://www.greenend.org.uk/rjk/