reply on: The Curious Case of Digital Signatures \ stacker news ~crypto

473 sats \ 38 replies \ @Natalia 24 Feb \ parent \ on: The Curious Case of Digital Signatures crypto

wait, so when the software was signed all you need to do is finding the correct public key ( the more sources suggesting the same key the better ), and then verify the asc? that's all?

480 sats \ 37 replies \ @ek OP 24 Feb

Yes. The "asc" is the (detached) signature.

The hardest part is verifying the public key but most people just skip that lol

412 sats \ 29 replies \ @Natalia 24 Feb

how hard can it be, all you need to do is to search. 😂

346 sats \ 28 replies \ @ek OP 24 Feb

To be fair, I think if the instructions mention to import the key from a site like Keybase like Sparrow does, I think it's fine. Most important thing is to not import the public key from the same site you received everything else and I think if people just follow instructions, they automatically do that.

It just makes me feel uneasy if people are not aware that this is important. The why's and so on.

589 sats \ 27 replies \ @Natalia 24 Feb

It just makes me feel uneasy if people are not aware that this is important.

like @DarthCoin say - education is key 🔑

0 sats \ 26 replies \ @ek OP 24 Feb

Haha yes. Like a secret key hidden in plain sight.

0 sats \ 25 replies \ @Natalia 24 Feb

is my understanding correct?

the logic behind this is the dev uses his private key to sign the signature ( asc ) which then hash the software.

359 sats \ 24 replies \ @ek OP 24 Feb

~~Yes~~

~~You just summarized my post with a few words haha~~

Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.

0 sats \ 23 replies \ @Natalia 24 Feb

hmmmm, I need to do more practice to understand it better, and I still don't get the part when you need to do the checksum or not? 👀

view replies

0 sats \ 6 replies \ @Natalia 25 Feb

now I finally understand what you mean here, why not just put each dev's key in GitHub 😨

0 sats \ 5 replies \ @ek OP 25 Feb

Best way is to spread your key fingerprint around imo.

If you only use one site as the source of trust, it's a single point of failure. Even if it's Github.

I have to do that myself, still figuring things out around PGP keys

0 sats \ 4 replies \ @Natalia 25 Feb

agree, and some of them are quite hard to search, e.g. Mullvad VPN, I couldn't find it in other places besides their site, madness.

updated github ☑️ https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6

0 sats \ 3 replies \ @ek OP 25 Feb

updated github ☑️ https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6

I don't see a key fingerprint there 👀

0 sats \ 2 replies \ @Natalia 25 Feb

MullvadVPN-2023.6.pkg.asc

👀

why the devs are making things to tricky, is it really meant for people to verify! or just trust.

I have to do that myself, still figuring things out around PGP keys

same, I'm verifying all the software that I use, good things is I don't use many.

0 sats \ 1 reply \ @ek OP 25 Feb

That's a signature, not a key fingerprint 👀

do I have to revoke this message using a new signed message 👀👀👀

0 sats \ 0 replies \ @Natalia 25 Feb

then I couldn't find it other than their site - how is that possible, given how many people are using their tools. 😂

Once you’ve observed enough matching fingerprints from enough independent sources in enough different ways that you feel confident that you have the genuine fingerprint, keep it in a safe place.

reply on another page