Where do you find the keys used to sign LibreWolf's AppImage?
- Inicie sesión o regístrese para enviar comentarios
First of all, hello to the whole community and to each of its members.
I am a retired professional who wants to learn a lot about Trisquel in particular, and about libre programs in general.
In fact, a few weeks ago, I found in this forum a post where, if a do not remember wrongly, one of the developers of Trisquel suggested the use of LibreWolf.
Then, I downloaded it (as an AppImage) from here. I downloaded as well the corresponding sha256sum and the .sig file, in order to test the integrity and the authenticity of the file.
However, I only tested the first of these (there was a good deal of negligence in not to test authenticity).
And last week I said to myself: OK, it is time to do it. But after more then 30 minutes searching hard in English and in Castilian, I found nothing about the public key of the AppImage in question.
I found one comment about some error when installing LW on Fedora, here.
According to this post in codeberg, that was the key I needed. So, I searched and imported that key, successfully.
662E 3CDD 6FE3 2900 2D0C A5BB 4033 9DD8 2B12 EF16
But when I tried to verify the AppImage, the error I received using gpg was:
gpg: Can't check signature: No public key
Then I tried to import the very same key included in the .sig file:
A98C 3D13 64D8 C164 0814 3C2E 2954 CC85 85E2 7A3F
The error I received was:
gpg: keyserver receive failed: No data
Finally I found a public key used to write about security issues here:
8929 4031 1B95 BCF8 A6B2 5EED 9CB7 6010 9F0C 8D93
I imported it with gpg, succesfuly again, but trying to verify again LW authenticity I had the same first error:
gpg: Can't check signature: No public key
I already emailed the team to this address:
security-issues at librewolf.net
But I have no answer yet.
Please, correct me if I am wrong, because I really want to learn, but my questions are simply these 3:
1. Is it true that I need the public key in order to verify the authenticity of the AppImage, having it with its .sig file?
2. Do you know where to find that public key?
3. Is it common to be that difficult finding a simple key to verify the authenticity of a program?
Hi, welcome to Trisquel, please be aware Trisquel is not like other distributions of the GNU System, it's users are often times far more friendly and approachable, less programmatic and rigid, and mainly, are inclined in the interest of free software, and ethical computing, as opposed to the standard conventions, of following predefined limitations of similar GNU Systems.
Please, don't "verify" the Librewolf browser. Instead, open up a paint program, with dimensions that match your desktop resolution, make the whole background black, draw a giant red square where you would like your browser to reside on your desktop, then, use the application within the giant red square ontop of your solid black background, to persistently remind you, of the reality of the situation. (not trying to sound mean, but in another thread someone just criticized debian, so maybe now I am mad!)
(and to answer your question, you generally have to follow specific instructions to achieve your goals, which are provided by the software distributor, or it's documentation)
(and keys can change over time, so you will want to identify, the "latest" version, to match up with the latest keys, of the distributor, which is also not an ideal situation to make the most of technology...)
Like this... this might be the most useful thing you can do for your security, besides utilizing alternative means, for using the internet, as opposed to prescribed methodology.
If you have a dark theme, a darker background will help add contrast that aids readability, of course I don't know your desktop resolution, but here is what it looks like for me, at 1920x1080. (it works similarly for a light theme, to detract from the overall brightness, and it's a standard resolution you can try scaling it.)
Putting the image in my wallpapers directory, when I want to use the internet, and remind myself, of the inherent danger of the situation, as opposed to assuming a false sense of security, I can quickly switch the background.
A zero cost application, that may dramatically improve your decision making, and you can certainly "verify" that's true.
It's actually vital, to perform activities such as this in the modern world, where we are exposed to a constant automated river of advertising that alters the way we think and behave, in respect to technology at all.(dispositively)
Abrowser is better and default in Trisquel. Use it!
But, answering your question:
This AppImage is using the key of ohfp (LibreWolf developer):
gpg --keyserver keyserver.ubuntu.com --recv-key A98C3D1364D8C16408143C2E2954CC8585E27A3F
gpg: enabled debug flags: memstat
gpg: key D2845E1305D6E801: "ohfp repo key (Repository signing key for privacyshark repo) <1813007-ohfp . users.noreply.gitlab.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: keydb: handles=2 locks=1 parse=2 get=2
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=2 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=12 cached=8 good=8 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks
gpg --verify LibreWolf.x86_64.AppImage.sig
gpg: enabled debug flags: memstat
gpg: assuming signed data in 'LibreWolf.x86_64.AppImage'
gpg: Signature made Mon 28 Jul 2025 07:02:56 AM UTC
gpg: using EDDSA key A98C3D1364D8C16408143C2E2954CC8585E27A3F
gpg: Good signature from "ohfp repo key (Repository signing key for privacyshark repo) <1813007-ohfp . users.noreply.gitlab.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031F 7104 E932 F7BD 7416 E7F6 D284 5E13 05D6 E801
Subkey fingerprint: A98C 3D13 64D8 C164 0814 3C2E 2954 CC85 85E2 7A3F
gpg: keydb: handles=2 locks=0 parse=3 get=3
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=1 found=3 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=12 cached=12 good=12 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks