|
|
|
|
|
|
by hsivonen
3222 days ago
|
|
|
Your example fetches the key from the keyserver without https. Fetching the key from the project's own site over https using curl is better. Edited to add: Fetching from a keyserver is OKish if a) you use the long form of key id and b) your gpg is new enough that it checks that it got the key for the id it requested. Still, the Web page you copy the key id from is as vulnerable to an attack on the server as the server serving the key directly. |
|
|
Especially when copying and pasting things anyway, the long form should always be preferred. I think there was an article on here several months ago on the dangers of using abbreviated fingerprints.
Manipulation of the fingerprint on the web page could be easier to detect using the archive.org wayback machine, which might not index the keyfile. Doesn't prevent manipulation but might make it easier to detect if you're suspicious.