On Tue, Feb 23, 2016 at 08:13:59PM +0100, Ralf Senderek wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > > > You can already get the keys at various places: > > > > - Fedora website > > - physical DVDs > > - fedora-repos git repository > > - fedora-repos RPM on kojipkgs > > - fedora-repos RPM Fedora mirrors > > - Fedora ISO images on Fedora mirrors > > - Eventually DNSSEC protected from DNS > > I was very clear in saying fingerprint not keys. The original key file from > the website contains only self-signed keys. The only way to know if these > are valid is to check the fingerprint.
It is not the only way. You can also compare the keys from all these
locations directly. Or calculate the fingerprint from the keys at all
these locations and compare them.
> > Also all recent Fedora keys were signed by me. So how many different
> > places do we need to make it secure? I am also very interested in making
> > this secure, but adding more random places to look does not help unless
> > people a actually looking there.
>
> Printing the fingerprint in prominent places makes faking the key
> nearly impossible, even if the ordinary user doesn't look there.
If the user does not look at the places, then it does not help. But what
are the exact places that you propose to post the fingerprint?
> > And since you did not notice that I
> > signed the GPG keys, I guess you did not look much as well.
>
> You didn't sign it in the download file from the verify page.
You can get the signature from a keyserver. Just wondering, how would
you check the signature if it was included in the key download file that
it would be hard to download the signature instead with --refresh-keys
in gpg - the latter also gives you all signatures that everyone added to
the key.
> Signing a key only helps if it is an assurance that the signer has checked
> the fingerprint. I could have signed the keys as well, but I didn't
> because I don't know anything about the fingerprint from first-hand.
How will you decide whether someone checked the fingerprint? How should
a unexperienced user decide whether to trust a certain key?
> If you have a valid means of checking the fingerprint with the creator
> of the key and publicly confirm the fingerprint on the mailing list,
> this would be a step forward.
I used my access to the signing server to verify the key before signing
it. But why is confirming the fingerprint here a step forward? Why would
someone search in this mailing list for the fingerprint of the gpg key?
FWIW, the signing server just gave me a public key with this fingerprint
when I asked for the Fedora 24 signing key:
pub 4096R/81B46521 2015-07-25 Fedora (24) <fedora-24-prim...@fedoraproject.org>
Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521
> > Btw before suggesting what to provide, maybe think of the instructions
> > for users that would explain how to verify the keys
>
> They are already asking the user on the verify page to run a gpg command,
> displaying the fingerprint is as easy as that.
This is not a specific instruction. Please provide an example of the
specific instructions that you would like to add.
signature.asc
Description: PGP signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
