The release version of TurrisOS 7.0.0 medkit, downloaded from https://repo.turris.cz/archive/7.0.0/medkit/mox-medkit-202404020445.tar.gz contains these verification keys:
$ tar -tvf mox-medkit-202404020445.tar.gz | grep /etc/updater/keys/
drwxr-xr-x root/root 0 2024-04-02 02:46 ./etc/updater/keys/
-rw-r--r-- root/root 566 2022-07-25 10:40 ./etc/updater/keys/test.pub.sig
-rw-r--r-- root/root 566 2022-07-25 10:40 ./etc/updater/keys/release.pub.sig
-rw-r--r-- root/root 101 2022-07-25 10:40 ./etc/updater/keys/release.pub
-rw-r--r-- root/root 96 2022-07-25 10:40 ./etc/updater/keys/test.pub
-rw-r--r-- root/root 101 2022-07-25 10:40 ./etc/updater/keys/standby.pub
-rw-r--r-- root/root 566 2022-07-25 10:40 ./etc/updater/keys/standby.pub.sig
The same files are available for download at Index of /turris-stable/root/etc/updater/keys/
The .sig files are PGP signatures. The key used for generating the signatures is Turris Deploy (Turris OS root key) <deploy@turris.cz> with the fingerprint BA6B68FACE443F6117A73F5AB03E14668D74AD6D
Details on this key:
$ gpg --list-keys BA6B68FACE443F6117A73F5AB03E14668D74AD6D
pub rsa4096/0xB03E14668D74AD6D 2018-11-28 [SC] [expires: 2028-11-25]
BA6B68FACE443F6117A73F5AB03E14668D74AD6D
uid [ unknown] Turris Deploy (Turris OS root key) <deploy@turris.cz>
sub rsa4096/0x8D813712279A3E2F 2018-11-28 [S] [expired: 2020-11-27]
A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
sub rsa4096/0xD74BD1A4D2B2511C 2018-11-28 [S] [expired: 2020-11-27]
139910FD19F2FB2F45C5C1ACD74BD1A4D2B2511C
sub rsa4096/0x1854BE778FD12E0F 2018-11-28 [E] [expires: 2028-11-25]
3154BC7FC23A84F13E52868C1854BE778FD12E0F
Where do I find some authoritative statement that that’s the trusted key?
Additionally, the key is now expired.
For the release key:
$ gpg --verify release.pub.sig release.pub
gpg: Signature made Wed Nov 28 13:07:11 2018 UTC
gpg: using RSA key A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
gpg: Good signature from "Turris Deploy (Turris OS root key) <deploy@turris.cz>" [unknown]
gpg: Note: This key has expired!
BA6B68FACE443F6117A73F5AB03E14668D74AD6D
A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
For the standby key:
$ gpg --verify standby.pub.sig standby.pub
gpg: Signature made Wed Nov 28 13:07:14 2018 UTC
gpg: using RSA key A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
gpg: Good signature from "Turris Deploy (Turris OS root key) <deploy@turris.cz>" [unknown]
gpg: Note: This key has expired!
BA6B68FACE443F6117A73F5AB03E14668D74AD6D
A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
For the test key:
$ gpg --verify test.pub.sig test.pub
gpg: Signature made Wed Nov 28 13:07:17 2018 UTC
gpg: using RSA key A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
gpg: Good signature from "Turris Deploy (Turris OS root key) <deploy@turris.cz>" [unknown]
gpg: Note: This key has expired!
BA6B68FACE443F6117A73F5AB03E14668D74AD6D
A0C156FF9832E8B4A7F10DEC8D813712279A3E2F
On GPG key expired (#892) · Issues · Turris / Turris OS / Turris OS packages · GitLab they say that the PGP key is not used anymore. But if that’s the case, then the .sig files should be removed from the medkit and from Index of /turris-stable/root/etc/updater/keys/