Yes. After visit that url, I inspected both signing keys, and deducted that Brave Release signing key has a public keyid: 0BB75829C2D4E821
; Beta, Dev and Nightly signing key has a public keyid: 0B31DBA06A8A26F9
The main purpose of those public keyid’s are for Brave devs to digitally sign each installation file with its corresponding secret keys in order to stamp them ‘as originals’ (and subsequently create a file for each with same name but adding .asc
or .sig
extensions at the end), for the benefit of Brave users to differentiate these installation files from potential fake ones.
For example:
Brave Browser’s version: brave-browser-nightly_1.40.57_amd64.deb
could be signed by keyid 0B31DBA06A8A26F9
, as this is the signing key Brave devs have assigned for their Nightly versions.
For this example, Brave devs could sign this installation file by using this command (i.e. Linux):
kali@linux:~$
gpg --local-user 0B31DBA06A8A26F9 --output brave-browser-nightly_1.40.57_amd64.deb.asc --detach-sign brave-browser-nightly_1.40.57_amd64.deb
For this installation file (.deb
extension at the end) what I’m looking is for its signature file (.asc
extension at the end - which is missing in Brave’s webpage and GitHub); in this example would be: brave-browser-nightly_1.40.57_amd64.deb.asc
To download keyid from keyservers, could be:
kali@linux:~$
gpg --keyserver hkps://keyserver.ubuntu.com/ --receive-keys 0B31DBA06A8A26F9
Confronting brave-browser-nightly_1.40.57_amd64.deb.asc
signature file, and after downloaded 0B31DBA06A8A26F9
keyid from keyservers, all Brave users could then verify that its installation file is the real deal -and not a fake one- by using this command (i.e. Linux):
kali@linux:~$
gpg --verify --armour brave-browser-nightly_1.40.57_amd64.deb.asc brave-browser-nightly_1.40.57_amd64.deb
And the result should be something like:
Good signature
So, what I’m looking for is where are these signature files.