problem in understanding gpg

hey all

now there is a project on github that I’m interested in

the project author is including his finger print and the public key in a .asc file

i want to relate things together as I new to the space

how i make use of both, the public key and the finger print, to verify the authenticity of the project

I will be cloning the repository and using the show signature flag of git.

please note that i am still new to the space and would like to learn more and understand what i am doing, i am willing to have long detailed answers to dive more in this topic

thank you all in advance

Hi,

maybe a few hints:

a) the fingerprint is trying to be a unique number for the full public key. So if you compute the fingerprint on a public key and compare it to a different ones, it should make sure that you have the same public key. By this you can use the fingerprint to compare public keys via different channels, e.g. via phone or printed business cards.

b) to gain more “trust” in a public key, you need to have different channels that communicate whom a public key belongs to. (That is not an easy concept, but it is universal to avoiding man-in-the-middle attacks in electronic communication.)

c) If individual commits are signed, you can see if your crypto system knows the public keys. When paying close attention you could see if some commits are not signed or not signed by a public key you “trust”. (The question is then, what this means.)

For general crypto questions, the elder https://www.gpg4win.de/documentation.html Compendium still has some good basic explanations.

Regards,
Bernhard

One such trust service is Keybase.
Here you can see that I have connected my github to my GPG key.
https://keybase.io/nosubstitute