Hi,
I am using Ubuntu(POP!_OS), and when I run " gpg --import satoshilabs-2021-signing-key.asc ", I get the following message.
desk@pop-os:~$ gpg --import /home/desktop-root/DOKU/satoshilabs-2021-signing-key.asc
gpg: key E21B6950A2ECB65C: 1 signature not checked due to a missing key
gpg: key E21B6950A2ECB65C: “SatoshiLabs 2021 Signing Key” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
desk@pop-os:~$ gpg --import /home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
I think I’m having problems with this operation. What action can I take to improve this problem?
Thanks for the advice. The message “[unknown]” and “WARNING” is displayed. What can I do to fix this?
desk@pop-os:~$ gpg --verify /home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage.asc
gpg: assuming signed data in ‘/home/desktop-root/DOKU/Trezor-Suite-21.5.1-linux-x86_64.AppImage’
gpg: Signature made 2021年05月07日 22時39分07秒 JST
gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
gpg: Good signature from “SatoshiLabs 2021 Signing Key” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C
What the warning is saying is that the signature is OK, but we have no way of knowing where this key came from.
If you are sure that you have the right key, you can silence the warning by signing the key yourself (basically saying “yes, I know this is the right key”) gpg --sign-key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
Because both the Trezor Suite application Trezor-Suite-21.6.2-mac.dmg and the signing key, satoshilabs-2021-signing-key.asc, are downloaded from the same source, https://suite.trezor.io, it seems like best practice to download the signing key from a separate official Trezor site/source.
Theoretically, if the site the app download is from is not legitimate, the signing key could also be illegitimate as it comes from the same site.
An attacker would need to subvert both places to get you to download a bad package. If the key were on GitHub also, they would just need to subvert GitHub.
Thanks @matejcik I was going at it the wrong way, trying to find the key on github because I had started by downloading the app and signature on trezor.io. But as you say it is indeed possible to get the files from independent sources if you do it the other way around, taking the signature on github.
Why not directly provide the signature as a link to github on the trezor.io download page? It would make it easier to do the verification right for newcomers.
Hi. I want to do the verification of the Trezor app as advised on the trezor website. Unfortunately I can only download the appfile and the signature. If I try to download the signigng key my browser tells me that the site couldnt be found (I use Linux). I know that this question has been asked before, but the answers to the posts did not really help me. What can I do to do the verification? Where can I download the signing key?
I am also on Linux and encountered the same issue. I was using Brave browser at the time.
Clicking the “Signing key 2021” link took me to a page stating, “We couldn’t find this page”.
When I clicked the browser’s “back” button to go back a page in the tab’s history, it then popped up the download for me.
Very strange behaviour.
I then encountered the same issues mentioned by KIT previously on the page, when checking the gpg key in terminal.