pull down to refresh

wait, so when the software was signed all you need to do is finding the correct public key ( the more sources suggesting the same key the better ), and then verify the asc? that's all?
Yes. The "asc" is the (detached) signature.
The hardest part is verifying the public key but most people just skip that lol
reply
how hard can it be, all you need to do is to search. 😂
reply
To be fair, I think if the instructions mention to import the key from a site like Keybase like Sparrow does, I think it's fine. Most important thing is to not import the public key from the same site you received everything else and I think if people just follow instructions, they automatically do that.
It just makes me feel uneasy if people are not aware that this is important. The why's and so on.
reply
It just makes me feel uneasy if people are not aware that this is important.
like @DarthCoin say - education is key 🔑
reply
Haha yes. Like a secret key hidden in plain sight.
reply
is my understanding correct?
the logic behind this is the dev uses his private key to sign the signature ( asc ) which then hash the software.
reply
359 sats \ 24 replies \ @ek OP 24 Feb
Yes
You just summarized my post with a few words haha
Wait, no. The dev signs the software (or whatever). The signature IS the hash "encrypted" with the private key.
reply
hmmmm, I need to do more practice to understand it better, and I still don't get the part when you need to do the checksum or not? 👀
now I finally understand what you mean here, why not just put each dev's key in GitHub 😨
reply
Best way is to spread your key fingerprint around imo.
If you only use one site as the source of trust, it's a single point of failure. Even if it's Github.
I have to do that myself, still figuring things out around PGP keys