Documentation: GPG stanza parameters

[adidalal]

gpg.md should document how to get the key_id

A command line example should be inserted here - unfortunately, I've never used GPG verification so I have no idea how to do so. Pinging @fanquake here

Related to: #16090

[fanquake]

When we say we want the key ID, don't we actually mean the fingerprint?
i.e if you look at the TorBrowser cask, we have:

  gpg "#{url}.asc",
      key_id: 'ef6e286dda85ea2a4ba7de684e2c6e8793298290'

When you look at the Tor Browser Developers key:

gpg --fingerprint 0x4E2C6E8793298290
pub   4096R/0x4E2C6E8793298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                 [ unknown] Tor Browser Developers (signing key) <[email protected]>
sub   4096R/0x7017ADCEF65C2036 2014-12-15 [expires: 2017-08-25]
      Key fingerprint = 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C 2036
sub   4096R/0x2E1AC68ED40814E0 2014-12-15 [expires: 2017-08-25]
      Key fingerprint = BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0

0x4E2C6E8793298290 or 93298290 is the key ID.
EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 is the key fingerprint.

[miccal]

@fanquake I would like to help you with this, as I have some knowledge of gpg. Is there anything you would like me to do?

[tgdnt]

What we're calling the key_id is known by GPG as the fingerprint.

One way to find fingerprints (known here as key_id) is as follows:

gpg --search-keys <search terms>

Then select the correct match to import the key. For example, gpg --search-keys libreoffice code signing finds the correct key for Libre Office. Next, type gpg --fingerprint <search terms> to view the fingerprint.

Next, download and verify the signature available on publisher's website. Note that the installation file must be in the same folder as the signature file.

gpg --verify /path/to/signature

Verification going well, you can add that fingerprint and link to signature file to the cask file. The truth is, though, this last step can probably be done with brew cask audit --download <cask name>.

However, I think it should be noted also that it would be up to the community here to certify that the key_id specified within the cask does in fact belong to the developer or publisher, just like it is up to the contributor to certify that the URLs are owned by the developer, and those are basically trusted by the users. We can see the key_id present within the cask file as a sort of separate key certification that we are providing here.

It would also be worth saying something about whether it is any better to include a gpg check than a hash check. Since both the hash and the key_id are provided by whoever is contributing the cask, I'm not sure how much more secure a gpg check would be.

I can volunteer to write all this into gpg.md, if others agree.

[fanquake]

@tgdnt go ahead.

[tgdnt]

An important question: has this functionality been implemented yet?

[commitay]

No, not yet. Open issues: #164 and #5971