Hi! I may be doing something wrong, but I wasn't able to verify the signatures you provided in your release. I would appreciate some pointers.
I'm attempting to verify binaries of v0.4.1 using sequoia:
% sq version
sq 1.3.1
using sequoia-openpgp 2.0.0
with cryptographic backend Nettle 3.10 (Cv448: true, OCB: true)
I tried several different binaries with the same result, let's take the flatpak one as an example.
What I did:
- Put the key file from README.md in a file and import it
% sq cert import commet.key
- ┌ 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA
└ Commet <contact@commet.chat> (UNAUTHENTICATED)
- imported
Imported 1 new certificate, updated 0 certificates, 0 certificates unchanged, 0 errors.
- Download
chat.commet.commetapp.flatpak and the corresponding .asc signature
- Attempt to verify and note the failure
% sq verify --signature-file=chat.commet.commetapp.flatpak.asc chat.commet.commetapp.flatpak
Signing key on 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA is bad:
Error: Invalid key: "key is not signing capable"
0 authenticated signatures, 1 bad key.
In my attempts to understand what's going on, I noticed that the key referenced in the signature is the main key of the bundle, not the signing key - note that the "Alleged signer" fingerprint in the snippet below matches the main fingerprint, not the subkey with the signing flag.
% sq inspect chat.commet.commetapp.flatpak.asc
chat.commet.commetapp.flatpak.asc: Detached signature.
Alleged signer: 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA
Commet <contact@commet.chat> (UNAUTHENTICATED)
Note: Signatures have NOT been verified!
% sq inspect commet.key
commet.key: OpenPGP Certificate.
Fingerprint: 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA
Public-key algo: Ed25519
Public-key size: 256 bits
Creation time: 2026-01-02 01:01:57 UTC
Key flags: certification
Subkey: B4971D825A3FF95AF5BB38D9DDE9E57D9FD7C120
Public-key algo: EdDSA
Public-key size: 256 bits
Creation time: 2026-01-02 01:01:57 UTC
Key flags: authentication
Subkey: 8690CEF67515B30CC1A2884F2C047FEB9C958844
Public-key algo: ECDH
Public-key size: 256 bits
Creation time: 2026-01-02 01:01:57 UTC
Key flags: transport encryption, data-at-rest encryption
Subkey: C5DCF471DCF2AD9A3C8A102151F61E2C3FDF63CD
Public-key algo: Ed25519
Public-key size: 256 bits
Creation time: 2026-01-02 01:01:57 UTC
Key flags: signing
UserID: Commet <contact@commet.chat>Is there something I'm doing wrong? What is the intended procedure for verifying the signatures?
Hi! I may be doing something wrong, but I wasn't able to verify the signatures you provided in your release. I would appreciate some pointers.
I'm attempting to verify binaries of v0.4.1 using sequoia:
I tried several different binaries with the same result, let's take the flatpak one as an example.
What I did:
chat.commet.commetapp.flatpakand the corresponding.ascsignature% sq verify --signature-file=chat.commet.commetapp.flatpak.asc chat.commet.commetapp.flatpak Signing key on 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA is bad: Error: Invalid key: "key is not signing capable" 0 authenticated signatures, 1 bad key.In my attempts to understand what's going on, I noticed that the key referenced in the signature is the main key of the bundle, not the signing key - note that the "Alleged signer" fingerprint in the snippet below matches the main fingerprint, not the subkey with the signing flag.
% sq inspect chat.commet.commetapp.flatpak.asc chat.commet.commetapp.flatpak.asc: Detached signature. Alleged signer: 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA Commet <contact@commet.chat> (UNAUTHENTICATED) Note: Signatures have NOT been verified! % sq inspect commet.key commet.key: OpenPGP Certificate. Fingerprint: 7494B1FA4E3A9E8253B048B09D821FB45EC0E1AA Public-key algo: Ed25519 Public-key size: 256 bits Creation time: 2026-01-02 01:01:57 UTC Key flags: certification Subkey: B4971D825A3FF95AF5BB38D9DDE9E57D9FD7C120 Public-key algo: EdDSA Public-key size: 256 bits Creation time: 2026-01-02 01:01:57 UTC Key flags: authentication Subkey: 8690CEF67515B30CC1A2884F2C047FEB9C958844 Public-key algo: ECDH Public-key size: 256 bits Creation time: 2026-01-02 01:01:57 UTC Key flags: transport encryption, data-at-rest encryption Subkey: C5DCF471DCF2AD9A3C8A102151F61E2C3FDF63CD Public-key algo: Ed25519 Public-key size: 256 bits Creation time: 2026-01-02 01:01:57 UTC Key flags: signing UserID: Commet <contact@commet.chat>Is there something I'm doing wrong? What is the intended procedure for verifying the signatures?