Hi I'm trying to verify an openwrt img file I downloaded using gpg. I tried downloading gpg key but it has a .asc extension NOT .gpg extension - is this right ? Also how does this file relate to sha256sums.asc file sha256sums.txt and sha256sums.sig ?? instructions for something so important should be made clearer !
Thanks all for responding. I ran commands specified and it all seems legit including fingerprint matching on site. However does anyone happen to know why it says text in bold below about '...key is not certified.. no indication signature belongs to owner..' ? After all you folks manage these public keys ?
*gpg: Good signature from "OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02@openwrt.org>" [unknown]*
***gpg: WARNING: This key is not certified with a trusted signature!***
***gpg: There is no indication that the signature belongs to the owner.***
I take your point but doesn't self signed certs defeat purpose of verification through public keys published ? Don't get me wrong - I do appreciate the software you are providing to public !
Yes, but a fully verified certificates need a company on top of the verification hierarchy to verify you are you. And that usually cost money and is complicated.
In pretty much all open source projects this is solved a little in between in the way that you verify the webpage the open source verification certificate is downloaded from.
But in the bottom end it is up to you to trust OpenWrt webpage and if you want to manually set the certificate as “ultimate trusted” to get rid of the warning.
But if you really have sleep problem over authenticity you can build from source code instead.
Then you don’t use gpg verification at all.