(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. - Forwarded message from [EMAIL PROTECTED] - From: [EMAIL PROTECTED] Subject: Suggestion: describe (or link to) how to verify your distributions Date: Fri, 22 Nov 2002 20:21:38 GMT To: [EMAIL PROTECTED] Hi folks, Thanks for all your work. Thanks for taking the time to secure it and to distribute it in a secure fashion. Today as I downloaded your new version, aware of the openssh trojan and aware that MD5 signatures hosted on the same server doesn't verify anything, I was pleased to find a digital signature for samba. A suggestion though. In addition to providing the digital signature it would be great if you could include a few links or a page or two describing how to use it. I ask this, because I can't figure out how to get PGP to use your signature. And having visited CERT, PGP, GPG, and using google, I am still stumped as to what to do with this detached digital signature. You folks are one of the most important projects around. It's terrific that you are distributing digital signatures, you could improve on that a bit by distributing information on how to use that digital signature. Thank you, Jerry Asher - End forwarded message - -- Martin msg04549/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz -- Steve Langasek postmodern programmer msg04550/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? etc... -- Martin
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Martin Pool [EMAIL PROTECTED] wrote: On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 12:56:39PM -0800, Martin Pool wrote: I'll write up a short page describing how to use them, unless Jerry particularly wants to do it. In five words or less, from the gpg manpage: $ gpg --verify samba-2.2.7.tar.gz.asc samba-2.2.7.tar.gz Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? etc... Before you reply: I know the answers to these, but probably many people don't. Merely saying how to run the command is not a complete solution -- using GPG without understanding at least the basics is worse than not using it at all. -- Martin
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? This is why you can't necessarily ignore the message that says: gpg: WARNING: This key is not certified with a trusted signature! The samba team needs to get more people to sign the distribution key so this message becomes less frequent. Tim.
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? It's a cryptographic signature that can only be produced using a specific key. Assuming that the key belongs to the party whose name is on it, and assuming that the key is well-protected from theft, and assuming that the algorithms used by PGP haven't been broken, you can be assured that the signature was made by the person it claims to have come from. Asking about, I've been pointed to http://gnupg.org/gph/en/manual.html as a general intro to GPG. -- Steve Langasek postmodern programmer msg04559/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Sat, Nov 23, 2002 at 08:29:57AM +1100, Tim Potter wrote: On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? This is why you can't necessarily ignore the message that says: gpg: WARNING: This key is not certified with a trusted signature! The samba team needs to get more people to sign the distribution key so this message becomes less frequent. Hmm. I see nine signatures already, and I have a full trust relationship to the key which traverses multiple paths through the keyring, the shortest of which is only three hops long, despite never having met a member of the Samba Team. All in all, a well-connected key, and I think if there are people who get this error and actually care about it :), the problem is more likely to lie on their end of the web of trust. -- Steve Langasek postmodern programmer msg04561/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: Hmm. I see nine signatures already, and I have a full trust relationship to the key which traverses multiple paths through the keyring, the shortest of which is only three hops long, despite never having met a member of the Samba Team. All in all, a well-connected key, and I think if there are people who get this error and actually care about it :), the problem is more likely to lie on their end of the web of trust. According to samba.html, the distribution key is http://us1.samba.org/samba/ftp/samba-pubkey.asc gpg: key 2F87AF6F: public key Samba Distribution Verification Key [EMAIL PROTECTED] This has only a single signature, from Jerry. mbp@toey ~% gpg --list-sig 2F87AF6F pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig D83511F6 2002-10-15 Gerald W. Carter [EMAIL PROTECTED] sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] Jerry's key is pretty well signed, but perhaps not strongly connected to the world at large. I don't know of any way to get GPG to automatically download signatures for the web of trust, so unless people happen to have Jerry's key and those of the people who certify him it is likely to be untrusted. I think it would be good to get other developers to sign the distribution key. Perhaps we might also get organizations like CERT or AusCERT to sign the key (if they will), because administrators are likely to already have their pubkeys. Jerry, if you can call Sundeep's desk then I will listen to your voice and sign your key. -- Martin msg04562/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
Incidentally, this form is pretty useful when trying to establish the
validity of a key. It would be nice if it were available from a GUI.
gpg --list-sig A0B3E88B|awk '/id not found/ { print $2 }' |sort -u |xargs gpg
--recv-key
--
Martin
msg04563/pgp0.pgp
Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On Fri, Nov 22, 2002 at 02:31:21PM -0800, Martin Pool wrote: According to samba.html, the distribution key is http://us1.samba.org/samba/ftp/samba-pubkey.asc gpg: key 2F87AF6F: public key Samba Distribution Verification Key [EMAIL PROTECTED] Then perhaps this should be refreshed from the copy that's on the public keyservers, which is where I imported it from? mbp@toey ~% gpg --list-sig 2F87AF6F pub 1024D/2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig 3 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] sig D83511F6 2002-10-15 Gerald W. Carter [EMAIL PROTECTED] sub 1024g/4A271F85 2002-10-15 [expires: 2004-10-14] sig 2F87AF6F 2002-10-15 Samba Distribution Verification Key [EMAIL PROTECTED] Jerry's key is pretty well signed, but perhaps not strongly connected to the world at large. Ah, well, he at least has good connectivity to other Samba Team members. And to other people from valinux.com that I don't recognize. :) I don't know of any way to get GPG to automatically download signatures for the web of trust, so unless people happen to have Jerry's key and those of the people who certify him it is likely to be untrusted. You write a shell script that walks the signature list and grabs from the keyserver, I suppose. I think it would be good to get other developers to sign the distribution key. Perhaps we might also get organizations like CERT or AusCERT to sign the key (if they will), because administrators are likely to already have their pubkeys. Do you have key IDs for CERT and AusCERT? I'm interested to see how well-connected they are (would hate for people to substitute unfounded faith in one key for a similar faith in another, at least). Debian being what it is, most of my trust paths to the world pass through people, not through organizations... :) -- Steve Langasek postmodern programmer msg04565/pgp0.pgp Description: PGP signature
Re: (fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions
On 22 Nov 2002, Steve Langasek [EMAIL PROTECTED] wrote: On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote: On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote: Yeah, sure, but: What does this all mean? Why should I care? Where do I get GPG? Where do I get the samba codesigning key? How do I import it? How do I know I got the right one? What do I do if it doesn't verify? I always wondered if someone uploaded a tarball with a trojan, what's preventing them from updating the .asc file as well? The signature file can only be produced by somebody who has the private key, which (I hope) only resides on well-secured machines separate from the distribution machine. For example it might be on a PC at Jerry's house. It's a cryptographic signature that can only be produced using a specific key. Assuming that the key belongs to the party whose name is on it, and assuming that the key is well-protected from theft, and assuming that the algorithms used by PGP haven't been broken, you can be assured that the signature was made by the person it claims to have come from. So the failure modes are: 1 - Somebody breaks into Jerry or some other signer's PC, and from there to samba.org. Equivalently, Jerry's laptop is stolen by somebody smart enough to understand what they found. (Don't take keys to DEFCON!) 2 - Somebody uploads an invalid .asc file, but nobody actually checks it, or at least nobody raises the alarm for some time. 3 - Somebody changed the .tgz, .asc, and also the key stored on the same keyserver. The key is signed with what look like plausible signatures. Again, this will eventually be detected, but perhaps not until some trouble is caused. 4 - GPG is broken. (By far the least likely.) -- Martin
