Librewolf update key differs from repo key?

Following instructions from their site, in order to install Librewolf

You should accept any prompts wanting to import the GPG key with the fingerprint 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3.

This key can/have-to be imported from https://(rpm_or_deb).librewolf.net/pubkey.gpg

But, today’s update of Librewolf failed with

GPG key at https://rpm.librewolf.net/pubkey.gpg (0x93C0CFC3) is already installed
The GPG keys listed for the "LibreWolf Software Repository" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: librewolf-108.0.1-1.fc36.x86_64
 GPG Keys are configured as: https://rpm.librewolf.net/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

$ rpm -q gpg-pubkey --qf ‘%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n’

indeed produced

gpg-pubkey-93c0cfc3-615c49c7 Malte Jürgens maltejur@dismail.de public key

but

$ sudo rpm -K /var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm

produced

/var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm: digests SIGNATURES NOT OK

After unsuccesfully researching error only to found that it could even mean MITM or repo take over, I finally found

After importing so called Librewolf Maintainers key stated there, I got also

gpg-pubkey-2b12ef16-627f7187 LibreWolf Maintainers gpg@librewolf.net public key

And finally running checksig

$ sudo rpm --checksig /var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm

it produced

/var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm: digests signatures OK

I am still hesitant to install the update so could anyone at least confirm maintainers key above?

Humans don’t confirm pgp keys, key servers do …

Like these:

http://pgp.mit.edu + gpg@librewolf.net
https://keyserver.ubuntu.com + gpg@librewolf.net

You again didn’t understand what I meant, or you are doing it deliberately.

Now I’m asking you, as you demanded from me: please do not react on my posts if not specifically addressed. And you won’t be.

I read and re-read your post a few times. Apologies if the answer you received to the question you asked was not what you wanted but, this is a tried and true way to verify a pgp key.

It seems that you are confused about Malte’s key and in general as to how pgp keys, sub-keys, IDs & fingerprints work.

Public key infrastructure or, as commonly refereed to as PKI can be a bit confusing for many novice computer users but, the World Wide Web is abundant with MANY great resources for learning about and finding the answers many beginners have regarding implementation(s) of. If the WWW is not one’s cup of tea, the study guide for CompTIA’s seminal security basics/101 Security+ (SY0-601) exam has an entire chapter titled “Cryptography and the Public Key Infrastructure” and can be found in many public libraries as well as via one’s prefered online book vendor.

In an effort to assist users like yourself, the Ubuntu keyserver is a bit more beginner friendly/explicit in what is returned via the web UI. If the https://keyserver.ubuntu.com + gpg@librewolf.net link provided above is used, one is able to drill down to Malte’s key under sub-keys via d29fbd5f93c0cfc3.

Hope this helps make you happy

You may want to consider Firefox ESR with a user.js file instead. If you have a way to check dns requests like pihole, you’ll likely notice that Librewolf is noisier. Firefox ESR is also less maintenance and probably easier to trust than a niche project like Librewolf.

@cayce plese cut the bullshit with your passive-aggressive “replies” to enmus. You are wasting my time, and being annoying with your f’ed up attitude in this forum. Your replies nothing but attempts at stirring useless (and tiring) drama.

@tanky0u

Honestly, I’ve truly no idea what you’re on about, both replies are succinct solutions to the questions asked stated clearly & concisely, falling well within the bounds of both the CoC & the forum guidelines.

Whereas your’s, clearly does not.

Per the If You See a Problem, Flag It section of the forum guidelines, I would flag this post but, @mods have made it crystal clear via (lack of) action as well as written that they’ve no intention of upholding the standards set forth in the CoC or the forum guidelines whenever my postings are involved.

I offer a dissenting view here.

I find @enmus question to be completely valid as part of validation under a web of trust model.

PGP was - way way way back before such things as key servers even existed, when some of us relied on PGP and remailers like anon. penet. fi - only really viable by relying on direct person to person keyex, or a web of trust. That its not machine based, and I note is actually important enough to have its own subsection on the wikipedia article @cayce has linked

Now, if @enmus threat model is enough that they would accept replies from members of this community that they trust, to vouch for the maintainers PGP key as part of a web of trust, that is a wholly viable approach to using PGP signing keys.

Of course, there are plenty of “whataboutism” replies to “web of trust” approaches. Anyone here who is an old salt has heard them all. There are some very valid problems with web of trust, which are equally as well known.

Seems relevant:

Thanks for the responses. Not to say that it’s not about the step (validating the key), but the goal (should you update Librewolf at all, considering circumstances, especially how it is discovered what is actually needed to do in order to update it and how nontransparent that is).

Agreed.

Now, im not involved with that project so cannot confirm to you as a web of trust if the GPG signing key is valid.

perhaps others in the community could?