Re: [ANNOUNCE] c-ares.org downloads and website updates

[Nikolaos Chatzikonstantinou via c-ares]

On Thu, Jun 6, 2024, 10:42 PM Cristian Rodríguez 
wrote:

> On Thu, Jun 6, 2024 at 10:16 PM Nikolaos Chatzikonstantinou via c-ares
>  wrote:
>
> > Nice! As soon as I tried to demonstrate it, both the signature and the
> > contents were mangled by gmail. Well, you know what, just attach a
> > signature file with `gpg --sign --detach`. Sigh, how comedic.
>
> This stuff ..is broken internet-wide. so no surprise.
> It doesn't matter anyway. people should pull releases from signed git
> tags instead and reject stuff not signed by the release managers.
>

Yes, that will do it, so e.g. a signed tag on a commit that includes a NEWS
entry on new dev keys introduced, or a signed tarball release.
-- 
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

Re: [ANNOUNCE] c-ares.org downloads and website updates

[Cristian Rodríguez via c-ares]

On Thu, Jun 6, 2024 at 10:16 PM Nikolaos Chatzikonstantinou via c-ares
 wrote:

> Nice! As soon as I tried to demonstrate it, both the signature and the
> contents were mangled by gmail. Well, you know what, just attach a
> signature file with `gpg --sign --detach`. Sigh, how comedic.

This stuff ..is broken internet-wide. so no surprise.
It doesn't matter anyway. people should pull releases from signed git
tags instead and reject stuff not signed by the release managers.
-- 
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

Re: [ANNOUNCE] c-ares.org downloads and website updates

[Nikolaos Chatzikonstantinou via c-ares]

On Thu, Jun 6, 2024 at 10:14 PM Nikolaos Chatzikonstantinou
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares
>  wrote:
> >
> > On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:
> >
> > >
> > > Hello, congrats on the update. I don't mean to be annoying but the
> > > introduction of a new key should be in an email signed by the old key.
> > > The download page could clarify also which versions are expected to be
> > > signed by either key and which are only by Daniel, e.g. from >=1.30
> > > both keys are valid. This is probably in the changelog or NEWS file
> > > (if not please add) but I didn't check.
> > >
> > I'm pretty sure the mailing list updates too many aspects of the message
> > for a signed email to properly pass through and be able to be
> > validated.  Maybe I'm wrong here.  If I'm right though, what other way
> > could we "prove" my key is allowed to be used?
>
> If the MTA mangles PGP/MIME there's
> 
> for some ways to deal with a mangled message. You don't have to use
> PGP/MIME, Daniel can just enclose his message in an inline signature
> with `gpg --clearsign`. I've sent this e-mail signed, as an example.
> My fingerprint is ED32 5C3D 9DFE 5B0A BECE  4021 719B 12FD F9F9 6069,
> but you should have my fingerprint (or public key) transmitted to you
> out-of-band (meaning, with a different method) because it is trivial
> for someone to take this e-mail, strip the signature, modify the
> fingerprint, and then re-sign it. If Daniel sends an e-mail, he
> doesn't have to worry about this, anyone who really cares can go
> through the pain of obtaining his key out-of-band through a secure
> channel (if they don't already have it), but what matters is that
> Daniel verifies you to be authorized as a signer for c-ares, and those
> who trust Daniel can now trust you too.
>
> > I did briefly discuss with Daniel about him signing my key with his as a
> > way to indicate some level of trust in my key, since we're across the
> > ocean from eachother we'd need to do ID verification via a video chat.
> > We just haven't gotten around to that yet, would that "suffice"?
>
> Signing keys does not tell you anything, you need to have the context
> too (the context explains what the key is), which also needs to be
> signed. (Confusingly in PGP there's the web of trust where users sign
> keys together with an indicated level of trust.)
>
> Regards,
> Nikolaos Chatzikonstantinou
> -BEGIN PGP SIGNATURE-
>
> iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx
> jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c
> dOga1QWYPR4fWYp6WisLFRtrDqIxWgE=
> =gDSN
> -END PGP SIGNATURE-

Nice! As soon as I tried to demonstrate it, both the signature and the
contents were mangled by gmail. Well, you know what, just attach a
signature file with `gpg --sign --detach`. Sigh, how comedic.

Regards,
Nikolaos Chatzikonstantinou
-- 
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

Re: [ANNOUNCE] c-ares.org downloads and website updates

[Nikolaos Chatzikonstantinou via c-ares]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, Jun 6, 2024 at 6:38 PM Brad House via c-ares
 wrote:
>
> On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:
>
> >
> > Hello, congrats on the update. I don't mean to be annoying but the
> > introduction of a new key should be in an email signed by the old key.
> > The download page could clarify also which versions are expected to be
> > signed by either key and which are only by Daniel, e.g. from >=1.30
> > both keys are valid. This is probably in the changelog or NEWS file
> > (if not please add) but I didn't check.
> >
> I'm pretty sure the mailing list updates too many aspects of the message
> for a signed email to properly pass through and be able to be
> validated.  Maybe I'm wrong here.  If I'm right though, what other way
> could we "prove" my key is allowed to be used?

If the MTA mangles PGP/MIME there's

for some ways to deal with a mangled message. You don't have to use
PGP/MIME, Daniel can just enclose his message in an inline signature
with `gpg --clearsign`. I've sent this e-mail signed, as an example.
My fingerprint is ED32 5C3D 9DFE 5B0A BECE  4021 719B 12FD F9F9 6069,
but you should have my fingerprint (or public key) transmitted to you
out-of-band (meaning, with a different method) because it is trivial
for someone to take this e-mail, strip the signature, modify the
fingerprint, and then re-sign it. If Daniel sends an e-mail, he
doesn't have to worry about this, anyone who really cares can go
through the pain of obtaining his key out-of-band through a secure
channel (if they don't already have it), but what matters is that
Daniel verifies you to be authorized as a signer for c-ares, and those
who trust Daniel can now trust you too.

> I did briefly discuss with Daniel about him signing my key with his as a
> way to indicate some level of trust in my key, since we're across the
> ocean from eachother we'd need to do ID verification via a video chat.
> We just haven't gotten around to that yet, would that "suffice"?

Signing keys does not tell you anything, you need to have the context
too (the context explains what the key is), which also needs to be
signed. (Confusingly in PGP there's the web of trust where users sign
keys together with an indicated level of trust.)

Regards,
Nikolaos Chatzikonstantinou
-BEGIN PGP SIGNATURE-

iHUEARYKAB0WIQT+qiF+WQ7fQkkAb/UJFDAFinzxjQUCZmJs3AAKCRAJFDAFinzx
jch0AP4gzqFCfgck6fBcpiLOnxYK7GdQHX1GXsND3j+nWMAHDQD+Lh7VM+5ONg9c
dOga1QWYPR4fWYp6WisLFRtrDqIxWgE=
=gDSN
-END PGP SIGNATURE-
-- 
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

Re: [ANNOUNCE] c-ares.org downloads and website updates

[Brad House via c-ares]

On 6/6/24 6:11 PM, Nikolaos Chatzikonstantinou via c-ares wrote:



Hello, congrats on the update. I don't mean to be annoying but the 
introduction of a new key should be in an email signed by the old key. 
The download page could clarify also which versions are expected to be 
signed by either key and which are only by Daniel, e.g. from >=1.30 
both keys are valid. This is probably in the changelog or NEWS file 
(if not please add) but I didn't check.


I'm pretty sure the mailing list updates too many aspects of the message 
for a signed email to properly pass through and be able to be 
validated.  Maybe I'm wrong here.  If I'm right though, what other way 
could we "prove" my key is allowed to be used?


I did briefly discuss with Daniel about him signing my key with his as a 
way to indicate some level of trust in my key, since we're across the 
ocean from eachother we'd need to do ID verification via a video chat.  
We just haven't gotten around to that yet, would that "suffice"?


Regarding documenting whose key was used when, historically we never 
even documented the valid signing key, there was no reference at all 
other than just having the signatures for each package themselves.  
Daniel has used a couple over the years, a DSA 1024bit key, and now an 
RSA 2048bit key.  Mine is an ed25519 sub key used for signing protected 
by an rsa4096 certification key, we'll see if that causes any issues too :)


-Brad

--
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

Re: [ANNOUNCE] c-ares.org downloads and website updates

[Nikolaos Chatzikonstantinou via c-ares]

On Thu, Jun 6, 2024, 5:42 PM Brad House via c-ares 
wrote:

> Hello team!
>
> I just wanted to announce that https://c-ares.org is now hosted by
> GitHub Pages (with a custom domain) rather than a dedicated server that
> Daniel has graciously maintained all these years.
>
> Any distributions that are currently pulling packages from
> https://c-ares.org/download/c-ares-X.Y.Z.tar.gz (or even the legacy
> https://c-ares.haxx.se) are now broken.  Please update your packaging
> scripts to point to the github release assets, which is now the official
> repository for signed release packages.
>
> On another note, there is now a new package signing key approved for
> upcoming releases, mine :)
>
> Brad House  -
> DA7D64E4C82C6294CB73A20E22E3D13B5411B7CA
>
> https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xda7d64e4c82c6294cb73a20e22e3d13b5411b7ca
>
>
> We will likely be trying this out for the c-ares 1.30.0 release tomorrow
> am (EDT), and track what fallout arises.
>
> Please note that Daniel's signing key is still valid and he may perform
> additional releases in the future as well.  This just adds redundancy to
> the release process so we're not blocked on any single individual.
>


Hello, congrats on the update. I don't mean to be annoying but the
introduction of a new key should be in an email signed by the old key. The
download page could clarify also which versions are expected to be signed
by either key and which are only by Daniel, e.g. from >=1.30 both keys are
valid. This is probably in the changelog or NEWS file (if not please add)
but I didn't check.

Regards,
Nikolaos Chatzikonstantinou
-- 
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares

[ANNOUNCE] c-ares.org downloads and website updates

[Brad House via c-ares]

Hello team!

I just wanted to announce that https://c-ares.org is now hosted by 
GitHub Pages (with a custom domain) rather than a dedicated server that 
Daniel has graciously maintained all these years.


Any distributions that are currently pulling packages from 
https://c-ares.org/download/c-ares-X.Y.Z.tar.gz (or even the legacy 
https://c-ares.haxx.se) are now broken.  Please update your packaging 
scripts to point to the github release assets, which is now the official 
repository for signed release packages.


On another note, there is now a new package signing key approved for 
upcoming releases, mine :)


Brad House  - DA7D64E4C82C6294CB73A20E22E3D13B5411B7CA
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xda7d64e4c82c6294cb73a20e22e3d13b5411b7ca 



We will likely be trying this out for the c-ares 1.30.0 release tomorrow 
am (EDT), and track what fallout arises.


Please note that Daniel's signing key is still valid and he may perform 
additional releases in the future as well.  This just adds redundancy to 
the release process so we're not blocked on any single individual.


For updated download links as well as information on valid signing keys, 
please see https://c-ares.org/download/


Thanks!

-Brad House

--
c-ares mailing list
c-ares@lists.haxx.se
https://lists.haxx.se/mailman/listinfo/c-ares