Verify if distributed by Yi

When sharing files with others over the Internet, how to verify that they are officially distributed is important!

All cryptographic signatures published by Yi, the developer is 'FengYi.Tel Security Team', key-ID:

0FEB F674 EAD2 3E05

PGP Fingerprint:

DBBC 8D7B B64C 4648 A70A EA18 0FEB F674 EAD2 3E05

You should verify that the signature matches the file you downloaded.

Every file comes with .asc There are files containing PGP signatures. After putting them in the same folder, you can verify the signature:

$ gpg --verify [ file name ].asc

gpg: Can't check signature: public key not found

As you can see, gpg prompts that it does not know the public key. At this point, you should perform one of the following steps:

1. Download from official Latest public key And import the key:

Download and import online

$ wget --no-check-certificate && gpg --import yi.asc
$ curl | gpg --import

# Or import keys using command line after manual download
$ gpg --import yi.asc

2. Download and import keys from one of the key servers:

$ gpg --keyserver --recv-keys DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05

Gpg prompts after importing keys: no finally trusted key found

gpg: no ultimately trusted keys found

To improve this situation, you can verify that the signature of the specified key is correct, but you still cannot trust the name used in the key:

$ gpg --verify [ file name ].asc

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner." [full]

The problem here is that anyone can use that name to publish the key. You need to ensure that the key is actually owned by the person mentioned. The GNU Privacy Manual is in the "Verify other keys on the public key ring" Covers this topic. The most reliable way is to meet with the developers in person and exchange key fingerprints, but you can also rely on a network of trust. This way, you can do so by signing from someone else who has encountered the developer in person Pass the trusted key.

Once the key is trusted, no warning occurs:

$ gpg --verify [ file name ].asc

gpg: Good signature from "FengYi.Tel Security Team <>> [full]

If the signature is invalid (the archive has changed), you get a clear error whether the key is trusted or not:

$ gpg --verify [ file name ].asc

gpg: BAD signature from "FengYi.Tel Security Team <>> [full]

After that, you can delete the public key:

$ gpg --delete-key DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05