Where are the signature Files?

Hi Brave support team, I hope you all well.

I’ll be quick.

In the process of downloading .deb packages for Linux, or .apk files for Android, etc., how can I verify installation files without access to signature files of each of these installation files supposedly signed by Brave devs?

I mean, I can download your Public Keys (or signing keys at —> https://brave.com/signing-keys/ ) and receive their respective KeyID’s from keyservers, but can’t verify your installation files if I have no access to .asc or .sig files of each specific Brave release, its beta, or its nighly installation file in their different versions (as it seem those .asc or .sig files are not available to the public).

Hope you can help me to find how to do it. Sorry if these is nonsense to you.

Hughs!

Al

1 Like

No idea, check their github readme or wiki

I did it before signup to post here dear friend.
What else to do? Wait here for a response, or is there any other address or contact email that I can reach for the right answer?

@PatioSale

I was expecting SHA 256 / 512 info, but found what you did

https://brave.com/signing-keys/

Something like:

Yes. After visit that url, I inspected both signing keys, and deducted that Brave Release signing key has a public keyid: 0BB75829C2D4E821 ; Beta, Dev and Nightly signing key has a public keyid: 0B31DBA06A8A26F9

The main purpose of those public keyid’s are for Brave devs to digitally sign each installation file with its corresponding secret keys in order to stamp them ‘as originals’ (and subsequently create a file for each with same name but adding .asc or .sig extensions at the end), for the benefit of Brave users to differentiate these installation files from potential fake ones.

For example:
Brave Browser’s version: brave-browser-nightly_1.40.57_amd64.deb
could be signed by keyid 0B31DBA06A8A26F9 , as this is the signing key Brave devs have assigned for their Nightly versions.

For this example, Brave devs could sign this installation file by using this command (i.e. Linux):

kali@linux:~$ gpg --local-user 0B31DBA06A8A26F9 --output brave-browser-nightly_1.40.57_amd64.deb.asc --detach-sign brave-browser-nightly_1.40.57_amd64.deb

For this installation file (.deb extension at the end) what I’m looking is for its signature file (.asc extension at the end - which is missing in Brave’s webpage and GitHub); in this example would be: brave-browser-nightly_1.40.57_amd64.deb.asc

To download keyid from keyservers, could be:

kali@linux:~$ gpg --keyserver hkps://keyserver.ubuntu.com/ --receive-keys 0B31DBA06A8A26F9

Confronting brave-browser-nightly_1.40.57_amd64.deb.asc signature file, and after downloaded 0B31DBA06A8A26F9 keyid from keyservers, all Brave users could then verify that its installation file is the real deal -and not a fake one- by using this command (i.e. Linux):

kali@linux:~$ gpg --verify --armour brave-browser-nightly_1.40.57_amd64.deb.asc brave-browser-nightly_1.40.57_amd64.deb

And the result should be something like:

Good signature

So, what I’m looking for is where are these signature files.

I hope there is an answer soon.

Still waiting reply from devs…

@PatioSale Hi and belated welcome to the community. :slightly_smiling_face:

Tagging @Mattches, a community moderator, for you. Hopefully, he will drop in and respond. If you do not get a response, you could also try creating an issue report at Brave GitHub especially if you think this information should be freely available to the public. Getting access to that sort of information may require some sort of registration, verification, or other information which would most likely be available through Brave GitHub and not Brave Community.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.