Where are the signature Files?

Hi Brave support team, I hope you all well.

I’ll be quick.

In the process of downloading .deb packages for Linux, or .apk files for Android, etc., how can I verify installation files without access to signature files of each of these installation files supposedly signed by Brave devs?

I mean, I can download your Public Keys (or signing keys at —> https://brave.com/signing-keys/ ) and receive their respective KeyID’s from keyservers, but can’t verify your installation files if I have no access to .asc or .sig files of each specific Brave release, its beta, or its nighly installation file in their different versions (as it seem those .asc or .sig files are not available to the public).

Hope you can help me to find how to do it. Sorry if these is nonsense to you.

Hughs!

Al

No idea, check their github readme or wiki

I did it before signup to post here dear friend.
What else to do? Wait here for a response, or is there any other address or contact email that I can reach for the right answer?

@PatioSale

I was expecting SHA 256 / 512 info, but found what you did

https://brave.com/signing-keys/

Something like:

Yes, after visiting that url and view those signing keys i could learn that Brave Browser release versions pgp key id is: keyid 0BB75829C2D4E821 ; Beta, Dev and Nightly pgp key id is: keyid 0B31DBA06A8A26F9 .
The main purpose of those signing keys are for Brave devs to sign installation files for everybody’s benefit of distinguish original files from fake ones.
For example, the only way for them to sign brave-browser-nightly_1.40.57_amd64.deb is with 0B31DBA06A8A26F9 secret key. The way to do that is by creating a new signature file brave-browser-nightly_1.40.57_amd64.deb.asc (with .asc or .sig extension). For that devs should run (Linux):

gpg --local-user Brave Software --output brave-browser-nightly_1.40.57_amd64.deb.asc --detach-sign brave-browser-nightly_1.40.57_amd64.deb

Then users could verify each version against their signature file:

gpg --verify --armour nightly_1.40.57_amd64.deb.asc brave-browser-nightly_1.40.57_amd64.deb

So, I’m looking for those signature files where are they in order for me to install Brave Browser with all confidence. Thanks for any help.

Yes. After visit that url, I inspected both signing keys, and deducted that Brave Release signing key has a public keyid: 0BB75829C2D4E821 ; Beta, Dev and Nightly signing key has a public keyid: 0B31DBA06A8A26F9

The main purpose of those public keyid’s are for Brave devs to digitally sign each installation file with its corresponding secret keys in order to stamp them ‘as originals’ (and subsequently create a file for each with same name but adding .asc or .sig extensions at the end), for the benefit of Brave users to differentiate these installation files from potential fake ones.

For example:
Brave Browser’s version: brave-browser-nightly_1.40.57_amd64.deb
could be signed by keyid 0B31DBA06A8A26F9 , as this is the signing key Brave devs have assigned for their Nightly versions.

For this example, Brave devs could sign this installation file by using this command (i.e. Linux):

kali@linux:~$ gpg --local-user 0B31DBA06A8A26F9 --output brave-browser-nightly_1.40.57_amd64.deb.asc --detach-sign brave-browser-nightly_1.40.57_amd64.deb

For this installation file (.deb extension at the end) what I’m looking is for its signature file (.asc extension at the end - which is missing in Brave’s webpage and GitHub); in this example would be: brave-browser-nightly_1.40.57_amd64.deb.asc

To download keyid from keyservers, could be:

kali@linux:~$ gpg --keyserver hkps://keyserver.ubuntu.com/ --receive-keys 0B31DBA06A8A26F9

Confronting brave-browser-nightly_1.40.57_amd64.deb.asc signature file, and after downloaded 0B31DBA06A8A26F9 keyid from keyservers, all Brave users could then verify that its installation file is the real deal -and not a fake one- by using this command (i.e. Linux):

kali@linux:~$ gpg --verify --armour brave-browser-nightly_1.40.57_amd64.deb.asc brave-browser-nightly_1.40.57_amd64.deb

And the result should be something like:

Good signature

So, what I’m looking for is where are these signature files.