Ubuntu/debian install: Key used for signing package not available in ossec.net/download-ossec

[johays]

Trying to install OSSEC on a fresh Debian 12 system.
I would like to verify the package before running the installer on my system.

While there is a GPG-signature provided for the .tar.gz file found on https://www.ossec.net/download-ossec/ , there is no apparent pointer where/how to get the corresponding public key used in the signature (https://github.com/ossec/ossec-hids/releases/download/3.7.0/ossec-hids-3.7.0.tar.gz.asc)

A simple gpg --recv-key for the key-ID gives an "contains no user ID" error (see below).

Any ideas where I might find the corresponding key?

Suggestion: to include the public key used for signing next to the signature-file in https://www.ossec.net/download-ossec/ or supply a CLI one-liner how to import it in a somewhat trustworthy manner.

For inspiration: here is how Linux Mint and The Tor Project guides their users to import GPG-keys and verify signatures.

user@host:~/Downloads$ gpg --verify ossec-hids-3.7.0.tar.gz.asc 
gpg: assuming signed data in 'ossec-hids-3.7.0.tar.gz'
gpg: Signature made Mon 17 Jan 2022 05:09:10 PM CET
gpg:                using RSA key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: Can't check signature: No public key

user@host:~/Downloads$ gpg --recv-key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: key EE1B0E6B2D8387B7: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

[johays]

related to #1046
The post suggest that the key is located here: https://www.ossec.net/files/OSSEC-ARCHIVE-KEY.asc
This proves true and works, I now get a valid signature.

HOWEVER I think this should be public information available at https://www.ossec.net/download-ossec/ , not forcing users to dig through old issues on github to be able to verify a signature.

---

gpg: key EE1B0E6B2D8387B7: public key "Scott R. Shinn <scott@atomicorp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

user@host:~/Downloads$ gpg --verify ossec-hids-3.7.0.tar.gz.asc 
gpg: assuming signed data in 'ossec-hids-3.7.0.tar.gz'
gpg: Signature made Mon 17 Jan 2022 05:09:10 PM CET
gpg:                using RSA key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <scott@atomicorp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0  5FAD EE1B 0E6B 2D83 87B7