The FIPS version of OpenSSL has an external verification mechanism
which does not require a PGP signature verification. In the Security
Policy, there are keyed HMACs for the source files which go into
fipscanister.o. A file inside the distribution mirrors this. During
the build process, an HMAC-checker is built to verify the source, and
then a signature is created and embedded into fipscanister.o. During
the fipsld process, code to verify the in-memory library image with
its signature is added to the executable.
Please check the Security Policy for information on the official way
to verify what you downloaded.
-Kyle H
On 4/24/07, Lee Merrill <[EMAIL PROTECTED]> wrote:
Hi everyone,
I expect this has been asked before, but which PGP product is
appropriate for the FIPS validation of the FIPS ssl archive
(openssl-fips-1.1.1.tar.gz) via the openssl-fips-1.1.1.tar.gz.asc file? I
verified it with gpg, per the FIPS instructions ("gpg --verify *.asc *.gz"),
but I need the FIPS-validated PGP counterpart of gpg in order to be
official. I found a "PGP command line decrypt and verify" tool here:
http://www.pgp.com/products/commandline/mainframes/faqs.html
But I can't find where to order it, though this seems more likely to be
what I need (albeit it runs on a mainframe!) than the full PGP suite.
Thanks,
Lee
--
"There is nothing remarkable about it. All one has to do is press the right
keys at the right time and the computer programs itself." (ala J.S. Bach)
Unless otherwise stated, any views presented in this e-mail are solely those
of the author and do not necessarily represent those of the company.
______________________________________________________________________
OpenSSL Project http://www.openssl.org User Support Mailing List
openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
--
-Kyle H
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
