Whilst installing updates I get this Import PGP key:
The PGP key F23275E4BF10AFC1DF6914A6DBD2CE893E2D1C87 is needed to verify libkcompactdisc source files.
Trust Christoph Feck <cfeck@kde.org> and import the PGP key ?
I’m being prompted to either Cancel or Trust and Import.
Is there any way to verify that this PGP signature is that of this actual developer at this point in time, and not some leaked or fake one someone’s using maliciously?
A follow up question: suppose this key is not to be trusted, but is imported regardless. What’s the damage potential?
I’m sure there is a formal way of checking a PGP key, but a quick way is just to google it. In this case you’ll see it belongs to the person the message says.
If you trust a key belonging to a malice actor, then they can produce a package containing malware and you can inadvertently install it believing it’s from a trusted source.
As you can see, the install script already verified it for you (not sure against online oder local trust store, gpg search will be online and most up to date)
It is one thing to verify the package is signed from the person, another if you decide to trust this person.
I think the more appropriate question is whether you need libkcompactdisc. It appears that this package was recently moved from the Arch repositories to the AUR. This package is not required by any other package. In all likelihood, you should just remove it.
@Teo
Thanks I had no idea you could search them like that.
My concern stemmed from a question: “can’t just about anyone create a key with any name or email?”. Like, when generating a key, I can probably create one in the name of a famous billionaire - as far as I’m aware gpg does not do any checks to verify the inputs.
So in such an event the question of trusting the key would come down to not so much trusting the person, but about being able to verify that the key with this metadata belongs to that person and not some impersonator. For instance, one of the keys I got prompted about I found behind this [link] - I ran the public key through gpg command and got the same signature. Though not all the devs I got prompted about were listed here. Plus I wondered if there’s a better way to verify this. I will look more into this --search-keys - I’m curious how it works.
@Takakage
I was thinking that same thing. I don’t even have a cd player on this particular laptop.
I will probably need to just remove it.
As you can see, it is a name and email. So if ones email is compromised, yes, a new key from a malicious actor can be created with that name. It’s not a perfect system but better than nothing.
It works way better if you already heave the key of the person, to verify it is still that person. That is the principle of the update packages. But if the key is unknown there is nothing to verify against. The only thing you can do is to add it to your keystore so that you can verify next time you install something signed from that person.
