GPG keys

[ravas]

Where can I find the gpg key used to sign the hash file on the download page?

[Woodstock]

Do you mean other than the link on the download page, marked "Files integrity may be checked using hash file"?

(that link is for 1.17.6, by the way)

[jemima]

It’s e.g. here https://keyserver.ubuntu.com/pks/lookup ... 3a18042697 (though this of course means not that it has any trust).

Cheers,
jemima

[ravas]

Do you mean other than the link on the download page, marked "Files integrity may be checked using hash file"?

(that link is for 1.17.6, by the way)

That hash file is *signed* with a gpg key, but I can't find the public key anywhere(on makemkv's website) that was used to sign that file. I did find the public key on Ubuntu's keyserver, but I need to find a key somewhere here on makemkv's website Mike's account or something so I can verify it's authenticity.

[ravas]

It’s e.g. here https://keyserver.ubuntu.com/pks/lookup ... 3a18042697 (though this of course means not that it has any trust).

Cheers,
jemima

I did actually find this a while ago, but I was hoping to find the key somewhere on makemkv's website or Mike's profile in order to verify its authenticity before I add it to my keyring(for packaging as an RPM). Just trying to be thorough and do as much due diligence as I can.

[jemima]

Yeah, clear, though I haven't found it there either.

Anyway, even then then it's trust would completely depend on TLS, which - given the broken CA system[0] - isn't really that much.

Regards,
Jemima

[0] Roughly some 150 root CAs in the typical browser bundles, many of them controlled by countries of questionable reputation, not to talk about an unknown (many thousands of?) number of intermediate CAs, which all can forge more or less anything (and did so in the past).

[ravas]

I suppose, but the more I can cross-reference the more I can be confident in.