Signature of download provided, but key isn't

[gavinwy]

Creating a feature request

Is your feature request related to a problem? Please describe:

When I'm downloading software from the internet, and a PGP signature is offered, I usually check the signature. In this case I downloaded the signature, but was unable to quickly find the key. I had to find it on a public keyserver and manually import it, and I'm not 100% sure I have the right key.

Describe the solution you'd like:

Some indication on the download page or in the documentation on how to verify the signature and which PGP key will be used to sign the releases.

Describe alternatives you've considered:

Additional context

I quickly double checked a couple other Linux distros, and Arch has on its download page, a link to where you can download the public key used to sign the releases, and Linux Mint has on its download page, instructions on multiple ways to verify the signature, and the full fingerprint of the key that will be used to sign the releases. I think some more information or clarity in the DietPi documentation would save time, and assure people that the signature they're checking the file against was signed with the correct key. The key I found, that I'm assuming is correct is 0xC2C4D1DEF7C96C6EDF3937B2536B2A4A2E72D870.

[MichaIng]

You are right, we always wanted to add a section in the docs, and link it from the website as well. You can find the public key chain at:

• https://github.com/MichaIng.gpg
• https://keyserver.ubuntu.com/pks/lookup?search=micha@dietpi.com&fingerprint=on&op=index
• https://keys.openpgp.org/search?q=micha@dietpi.com

0xC2C4D1DEF7C96C6EDF3937B2536B2A4A2E72D870 is one of them, the one used by GitHub Actions to sign the images. There are two other sub keys, mostly used to sign Git commits from two other systems.