All cryptographic signatures published by Yi, the developer is 'FengYi.Tel Security Team', key-ID:
0FEB F674 EAD2 3E05
DBBC 8D7B B64C 4648 A70A EA18 0FEB F674 EAD2 3E05
You should verify that the signature matches the file you downloaded.
.ascThere are files containing PGP signatures. After putting them in the same folder, you can verify the signature:
$ gpg --verify [ file name ].asc gpg: Can't check signature: public key not found
Latest public keyAnd import the key:
$ wget --no-check-certificate https://fengyi.tel/yi.asc && gpg --import yi.asc $ curl https://fengyi.tel/yi.asc | gpg --import # Or import keys using command line after manual download $ gpg --import yi.asc
$ gpg --keyserver keys.gnupg.net --recv-keys DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05
gpg: no ultimately trusted keys found
$ gpg --verify [ file name ].asc gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner." [full]
The problem here is that anyone can use that name to publish the key. You need to ensure that the key is actually owned by the person mentioned. The GNU Privacy Manual is in the "Verify other keys on the public key ring" Covers this topic. The most reliable way is to meet with the developers in person and exchange key fingerprints, but you can also rely on a network of trust. This way, you can do so by signing from someone else who has encountered the developer in person Pass the trusted key.
$ gpg --verify [ file name ].asc gpg: Good signature from "FengYi.Tel Security Team <firstname.lastname@example.org>> [full]
$ gpg --verify [ file name ].asc gpg: BAD signature from "FengYi.Tel Security Team <email@example.com>> [full]
$ gpg --delete-key DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05