No, you cannot extract the public key from the signature. It is only telling you... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		forgotmypw17 on Jan 13, 2021 \| parent \| context \| favorite \| on: Solarwind, Fireeye, Microsoft and Cisco leaks are ... No, you cannot extract the public key from the signature. It is only telling you the fingerprint of the key the message claims to have been signed with, but there is no verification happening. You can change part of the message or the encoded fingerprint (which is a bit longer than the portion you pasted), and it will still report it the same way. However, you will not be able to mathematically verify that this message and another one was signed by the same key. If you look carefully at what GPG is telling you, probably see a line like this, unless you have the key in keyring: `gpg: Can't check signature: No public key`

sudosysgen on Jan 13, 2021 [–]

Yes, you're right, this is only the ID, you'd need to get the actual key off a keyserver.

forgotmypw17 on Jan 14, 2021 | [–]

Also, let us not forget the possibility that there may not even be a key to begin with. :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact