-
I miss a lot of knowledge around PGP, so it might really be a mistake on my part. When verifying the signature of the Release file from the google chrome repository against the provided signing key, gpg recognizes the signatures, while openpgp.js fails to find the signing key, which seems to be a subkey within the signing key. Reproduction scripts: openpgpconst got = require('got')
const openpgp = require('openpgp')
async function main(){
const {body: armoredKeys} = await got('https://dl-ssl.google.com/linux/linux_signing_key.pub')
const {body: text} = await got('https://dl.google.com/linux/chrome/deb/dists/stable/Release')
const {body: armoredSignature} = await got('https://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg')
const message = await openpgp.createMessage({text})
const signature = await openpgp.readSignature({armoredSignature})
const verificationKeys = await openpgp.readKeys({armoredKeys})
const verificationResult = await openpgp.verify({expectSigned: true, message, signature, verificationKeys})
const {verified} = verificationResult.signatures[0]
await verified
}
main() When verifying with opengpg, it fails to find the signing key:
gpg#! /usr/bin/env bash
wget https://dl-ssl.google.com/linux/linux_signing_key.pub
wget https://dl.google.com/linux/chrome/deb/dists/stable/Release
wget https://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg
gpg --import linux_signing_key.pub
gpg --verify Release.gpg Release When running with gpg, it seems to verify correctly:
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
The key input file is not formatted properly to be read using In this case, the second key is the signing one, in case you want to extract it manually, to test that it works 🙂 PS: passing |
Beta Was this translation helpful? Give feedback.
The key input file is not formatted properly to be read using
readKeys
. That function expect a specific type of armored data, which includes multiple keys in a single block, not separate armored keys. Your code is thus reading the first key only, which is not the one that signed the message.We don't have an API to automatically read the key file you are provided, you'll have to manually extract the separate keys (one option is to split the text based on the armored delimiters
-----BEGIN PGP PUBLIC KEY BLOCK-----
.In this case, the second key is the signing one, in case you want to extract it manually, to test that it works 🙂
PS: passing
expectSigned: true
toverify
is sufficient to confi…