Provide fingerprint of Cryptotrust public GPG key

Question

Provide fingerprint of Cryptotrust public GPG key

Closed this issue 3 years ago · 7 comments

The public GPG key is published on releases, and linked in the Desktop app documentation, but the key should be verified for it to be trusted by users.

You should make public the fingerprint of the public key (I see A1D6 4A3B 496C B0F3 6E12 B46F 9A9F 520D 44EA 53D1) in as many different channels as possible:

Onlykey documentation
Onlykey github
Blog
Forum
Twitter

Answer 1 · 2021-06-12T15:21:47.000Z

We include the GPG key on the Linux releases page as we only use GPG to sign Linux app. Mac app requires using Apple code signing key and Windows requires using Microsoft code signing key.

Answer 2 · 2021-06-12T15:26:11.000Z

I'm asking to include the fingerprint of the key in multiple places, not the full public key. The fingerprint is fundamental to be able to trust the public key.

Answer 3 · 2021-06-12T15:27:23.000Z

Calculate it with:

$ gpg --fingerprint 9A9F520D44EA53D1
pub   rsa4096 2019-10-15 [SC]
      A1D6 4A3B 496C B0F3 6E12  B46F 9A9F 520D 44EA 53D1
uid           [ unknown] CryptoTrust LLC <admin@cryptotrust.net>
sub   rsa4096 2019-10-15 [E]

Then publish A1D6 4A3B 496C B0F3 6E12 B46F 9A9F 520D 44EA 53D1 in as many channels as possible, see ideas in my original comment.

Answer 4 · 2021-06-13T21:49:56.000Z

If you received or downloaded a key in a , you can and should display its fingerprint before importing it into your keyring, in that way you can verify the fingerprint without possibly spoiling your keyring and adding a compromised key:

gpg --with-fingerprint <keyfile>

https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices#check-key-fingerprints-before-importing

Answer 5 · 2021-06-13T21:59:53.000Z

I think I missed the rationale as to the attack vector that my proposal protects against: a malicious attacker could hack Github or Onlykey's Github account, and replace the public key in one or more releases with a malicious public key. By having the fingerprint published in other unrelated channels it would be much more difficult for the attacker to replace the public key with a new one, as users could check that the public key doesn't match the expected fingerprint.

It's very important that the full fingerprint is published, and not the shortened version, that can be easily spoofed.

I'm sorry for adding so many comments to this thread, I think with this you have enough information to make a decision.

Answer 6 · 2021-08-23T16:17:19.000Z

Please do this, having a fingerprint of your public key available in multiple different channels is fundamental to the GPG key being trustable. Right now the users have no idea if your github account is compromised and a fake GPG key put in place of your real one, by making a fingerprint accessible in multiple separate places, we can verify that the public key is actually you and not an imposter.

Answer 7 · 2021-08-23T17:51:39.000Z

The key ID was added to docs.crp.to a while back, also to the forum FAQ. It is also in the github releases. Keep in mind this key is only used for signing the Linux DEB app.