GPG keys

Everything related to MakeMKV
Post Reply
Message
Author
ravas
Posts: 12
Joined: Mon Jan 01, 2024 10:22 pm

GPG keys

#1 Post by ravas » Mon Jan 22, 2024 9:51 pm

Where can I find the gpg key used to sign the hash file on the download page?

Woodstock
Posts: 10312
Joined: Sun Jul 24, 2011 11:21 pm

Re: GPG keys

#2 Post by Woodstock » Mon Jan 22, 2024 11:35 pm

Do you mean other than the link on the download page, marked "Files integrity may be checked using hash file"?

(that link is for 1.17.6, by the way)

jemima
Posts: 55
Joined: Fri Oct 06, 2023 1:16 am

Re: GPG keys

#3 Post by jemima » Mon Jan 22, 2024 11:52 pm

It’s e.g. here https://keyserver.ubuntu.com/pks/lookup ... 3a18042697 (though this of course means not that it has any trust).

Cheers,
jemima

ravas
Posts: 12
Joined: Mon Jan 01, 2024 10:22 pm

Re: GPG keys

#4 Post by ravas » Mon Jan 22, 2024 11:55 pm

Woodstock wrote:
Mon Jan 22, 2024 11:35 pm
Do you mean other than the link on the download page, marked "Files integrity may be checked using hash file"?

(that link is for 1.17.6, by the way)
That hash file is *signed* with a gpg key, but I can't find the public key anywhere(on makemkv's website) that was used to sign that file. I did find the public key on Ubuntu's keyserver, but I need to find a key somewhere here on makemkv's website Mike's account or something so I can verify it's authenticity.

ravas
Posts: 12
Joined: Mon Jan 01, 2024 10:22 pm

Re: GPG keys

#5 Post by ravas » Mon Jan 22, 2024 11:57 pm

jemima wrote:
Mon Jan 22, 2024 11:52 pm
It’s e.g. here https://keyserver.ubuntu.com/pks/lookup ... 3a18042697 (though this of course means not that it has any trust).

Cheers,
jemima
I did actually find this a while ago, but I was hoping to find the key somewhere on makemkv's website or Mike's profile in order to verify its authenticity before I add it to my keyring(for packaging as an RPM). Just trying to be thorough and do as much due diligence as I can.

jemima
Posts: 55
Joined: Fri Oct 06, 2023 1:16 am

Re: GPG keys

#6 Post by jemima » Tue Jan 23, 2024 3:36 am

Yeah, clear, though I haven't found it there either.

Anyway, even then then it's trust would completely depend on TLS, which - given the broken CA system[0] - isn't really that much.

Regards,
Jemima

[0] Roughly some 150 root CAs in the typical browser bundles, many of them controlled by countries of questionable reputation, not to talk about an unknown (many thousands of?) number of intermediate CAs, which all can forge more or less anything (and did so in the past).

ravas
Posts: 12
Joined: Mon Jan 01, 2024 10:22 pm

Re: GPG keys

#7 Post by ravas » Tue Jan 23, 2024 11:50 pm

I suppose, but the more I can cross-reference the more I can be confident in.

Post Reply