I’m writing a script to be used in Debian systems.
I need to verify the SHA256 checksum for a given .deb package, which is signed with a correspondent .asc file but I can’t find the public key associated with it.
In case it’s not clear, I’m talking about the .deb packages that can be found, for example, in a page like the following:
For example for a give .deb file (brave-browser_1.58.135_amd64.deb), there are two related files, the one with the checksum (brave-browser_1.58.135_amd64.deb.sha256) and the one with the signature (brave-browser_1.58.135_amd64.deb.sha256.asc).
There’s the following place: https://brave.com/signing-keys/
But keys can’t be directly download (are we supposed to copy paste them manually?)
I was wondering if there’s an official place where I could directly download the signing keys for a given checksum.
I tried importing Brave keyring ( https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg ) but apparently they’re using a different key for the releases that can be found on Github.
Could anybody help me?