On 11/26/2020 9:10 PM, Werner Koch wrote:
Hi,
and thanks for asking.
Thanks for this.
To be sure that I understand you correctly, I took the liberty of
rewording your answers.
On Thu, 26 Nov 2020 19:12, john doe said:
Is there a URL to download those sha1sums and those public keyss as files?
The problem with sha1sums is that a single publication would be easy to
fake. The only known countermeasure is to widely distribute them. We
do have them on the website as you noticed, they are send out by signed
mail to several thousand subscribers, and our and other mail archives
carry the release announcement with the checksums.
If I look at Debian (1) for example, the checksum file is gpg signed.
Assuming that I understand correctly, the Debian approach is not a safe
way to make the checksums available?propagate?
No, there is no single file with the checksums because that would be a
too easy target for an attacker.
Even if the file would be gpg signed?
and for the public key I could do something like:
$ wget <URL-OF-PUBLIC-KEYS>
$ gpg --import <PUBLIC-KEYS-FILES>
$ gpg --verify *.sig
And please check the printed fingerprint against copies of the
fingerprint distributed in the same way as the checksums. The keys are
also quite well connected in the Web-of-Trust, which can also help to to
validate them.
You mean by checking if the fingerprint of the downloaded keys match
the one listed on the web site?
The advantage of the public keys and the fingerprints is that they do
not change and thus you only need to validate them once once and sign
the keys so that you can trust them in the future.
Okay, if the fingerprints matches I should sign the keys with mine.
I understand that for this last step I could also do:
$ gpg --keyserver-options auto-key-retrieve veirfy *.sig
Don't. For verification always use
gpg --verify file.sig file
Okay, won't do that anymore.
and check the output well. If you need to automate this, use gpgv and
put all the trusted signing keys into a dedicated keyring. For
automating this with gpg, I would suggest to write a gpgme based tool.
If I want to verify a new release,:
- Manually: take advantage of gpgv
- Unattended: use a wrapper around gpgme
Your input is much appriciated.
1) https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
--
John Doe
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
