github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1525] Please add a .sig file #1019

New issue

Closed

opened 2026-05-05 07:18:52 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 07:18:52 -06:00

Owner

Originally created by @elhanan on GitHub (Sep 3, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1525

I'm unable to use your public key to verify firejail or firetools because you don't make a .sig file available for download. Is there another way to verify firejail and firetools than using a .sig file? 'sha256sum' merely tells me I downloaded the file without error. But it does not provide any security assurance. So the 'sha256sum's are not enough for me. I need a security assurance that the programs came from you by providing a .sig file along with your public key. Will you please provide me a .sig file or tell me how to use your public key without one?

Originally created by @elhanan on GitHub (Sep 3, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1525 I'm unable to use your public key to verify firejail or firetools because you don't make a .sig file available for download. Is there another way to verify firejail and firetools than using a .sig file? 'sha256sum' merely tells me I downloaded the file without error. But it does not provide any security assurance. So the 'sha256sum's are not enough for me. I need a security assurance that the programs came from you by providing a .sig file along with your public key. Will you please provide me a .sig file or tell me how to use your public key without one?

gitea-mirror

2026-05-05 07:18:52 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:18:55 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 3, 2017):

All the releases on SourceForge have .asc files alongside them.
https://sourceforge.net/projects/firejail/files/firejail/

The key itself is F951164995F5C4006A73411E2CCB36ADFC5849A7
http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x2CCB36ADFC5849A7
Import it using
gpg --keyserver keys.gnupg.net --recv-keys F951164995F5C4006A73411E2CCB36ADFC5849A7

To verify download the package of choice and the versioned .asc then run the following

gpg --verify firejail*.asc # should print out "Good signature"
sha256sum --check firejail*.asc # should print out "OK" next to the corresponding package

Fair warning, some downloaders seem to mangle the ~ in filenames, Chrom* for example will replace it with a hyphen.

@SkewedZeppelin commented on GitHub (Sep 3, 2017): All the releases on SourceForge have .asc files alongside them. https://sourceforge.net/projects/firejail/files/firejail/ The key itself is F951164995F5C4006A73411E2CCB36ADFC5849A7 http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x2CCB36ADFC5849A7 Import it using `gpg --keyserver keys.gnupg.net --recv-keys F951164995F5C4006A73411E2CCB36ADFC5849A7` To verify download the package of choice and the versioned .asc then run the following ``` gpg --verify firejail*.asc # should print out "Good signature" sha256sum --check firejail*.asc # should print out "OK" next to the corresponding package ``` Fair warning, some downloaders seem to mangle the ~ in filenames, Chrom* for example will replace it with a hyphen.

gitea-mirror commented

2026-05-05 07:18:56 -06:00

Author

Owner

@elhanan commented on GitHub (Sep 4, 2017):

Thank you, that worked perfectly. Do I need to run sha256sum separately on the .rpm or .deb packages, or does the sha256sum --check on the .asc file do that for me? I've only ever verified packages using .sig files before. So sorry for being in the dark. No wonder searching the GNU docs didn't help me; I was searching for .sig instructions. Thanks again.

@elhanan commented on GitHub (Sep 4, 2017): Thank you, that worked perfectly. Do I need to run sha256sum separately on the .rpm or .deb packages, or does the sha256sum --check on the .asc file do that for me? I've only ever verified packages using .sig files before. So sorry for being in the dark. No wonder searching the GNU docs didn't help me; I was searching for .sig instructions. Thanks again.

gitea-mirror commented

2026-05-05 07:18:57 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 4, 2017):

If you open up the .asc in any text editor it'll show you what files it has hashes for

@SkewedZeppelin commented on GitHub (Sep 4, 2017): If you open up the .asc in any text editor it'll show you what files it has hashes for

gitea-mirror commented

2026-05-05 07:18:58 -06:00

Author

Owner

@elhanan commented on GitHub (Oct 21, 2017):

Yes, of course. I knew that. But what I was trying to say was do I have to open it in any text editor to verify it myself, or does the commands you helped me with verify that the hashes of the programs match the ones in the file that I can check manually? So basically, do I need to open that file in a text editor if I already ran those commands?

@elhanan commented on GitHub (Oct 21, 2017): Yes, of course. I knew that. But what I was trying to say was do I have to open it in any text editor to verify it myself, or does the commands you helped me with verify that the hashes of the programs match the ones in the file that I can check manually? So basically, do I need to open that file in a text editor if I already ran those commands?

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1019

No description provided.

Rows
Columns