0 sats \ 5 replies \ @ek OP 25 Feb \ parent \ on: The Curious Case of Digital Signatures crypto
Best way is to spread your key fingerprint around imo.
If you only use one site as the source of trust, it's a single point of failure. Even if it's Github.
I have to do that myself, still figuring things out around PGP keys
write
preview
0 sats \ 4 replies \ @Natalia 25 Feb
agree, and some of them are quite hard to search, e.g. Mullvad VPN, I couldn't find it in other places besides their site, madness.
updated github ☑️ https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6
reply
0 sats \ 3 replies \ @ek OP 25 Feb
updated github ☑️ https://github.com/mullvad/mullvadvpn-app/releases/tag/2023.6
I don't see a key fingerprint there 👀
reply
0 sats \ 2 replies \ @Natalia 25 Feb
MullvadVPN-2023.6.pkg.asc
👀
why the devs are making things to tricky, is it really meant for people to verify! or just trust.
I have to do that myself, still figuring things out around PGP keys
same, I'm verifying all the software that I use, good things is I don't use many.
reply
0 sats \ 1 reply \ @ek OP 25 Feb
That's a signature, not a key fingerprint 👀
do I have to revoke this message using a new signed message 👀👀👀
reply
0 sats \ 0 replies \ @Natalia 25 Feb
then I couldn't find it other than their site - how is that possible, given how many people are using their tools. 😂
Once you’ve observed enough matching fingerprints from enough independent sources in enough different ways that you feel confident that you have the genuine fingerprint, keep it in a safe place.
reply