I had a somewhat difficult time tracking down the LibreOffice OpenPGP signing key. The signing public key is handy for verifying the integrity and authenticity of a download such as an installation or update to the office suite. I am still unsure of which key is the right one since there does not seem to be a note of their key fingerprint on their website that I can see.
So if anyone is looking for their key to check if your download is authentic, then here is what I found.
I searched until I found this forum page: https://ask.libreoffice.org/t/where-is-the-signing-public-gpg-pgp-key-the-libreoffice-webpage/11606
That lead me to this mailing list archive: https://listarchives.libreoffice.org/global/users/2013/msg00712.html
Then the referenced key-server page would not connect securely due to some SSL error so I searched here: https://pgp.mit.edu/
I searched for the referenced keyID... not the full fingerprint because that was not something I could find. Here is the key ID and search result:
- Key ID: F434 A1EF AFEE AEA3
- Search result: https://pgp.mit.edu/pks/lookup?search=0xF434A1EFAFEEAEA3&op=index
- Search result when opened: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF434A1EFAFEEAEA3
- The key can be downloaded here: https://pgp.mit.edu/pks/lookup?op=get&search=0xF434A1EFAFEEAEA3
The file you can download has the fingerprint: C2839ECAD9408FBE9531C3E9F434A1EFAFEEAEA3
Which with spaces is: C283 9ECA D940 8FBE 9531 C3E9 F434 A1EF AFEE AEA3
If anyone has any confirmation of this fingerprint belonging to the LibreOffice people then please let me know so I can revise this post and show that it can be trusted.
If anyone has a trusted fingerprint and thinks this one is bogus or forged... then DEFINETLY let me know so I can revise this page and show which one is real
However, it did verify a GPG signature of my last download from the LibreOffice website so it's probably a legitimate key.
No comments:
Post a Comment