Re: More prominent link to verification hashes

On Mon, Mar 7, 2016 at 8:27 AM, Stephen John Smoogen wrote: > On 7 March 2016 at 01:32, Ralf Senderek wrote: >>> What would be proper other places to confirm the fingerprint? >> >> The following criteria might be reasonable: >> - a place that has

Re: More prominent link to verification hashes

On Mon, 7 Mar 2016, Stephen John Smoogen wrote: Hope that helps to find such places. Not really. Everything above is subjective. In the past, when I have looked for sites that meet such criteria no one agrees that the place meets such criteria. We put it in redhat.com and people who hate

Re: More prominent link to verification hashes

On 7 March 2016 at 01:32, Ralf Senderek wrote: >> What would be proper other places to confirm the fingerprint? > > The following criteria might be reasonable: > - a place that has authority, that people might trust. > - a place that is hard to impersonate, that has

Re: More prominent link to verification hashes

On Thursday, February 25, 2016 09:29:26 PM Ralf Senderek wrote: > On Thu, 25 Feb 2016, Dennis Gilmore wrote: > > Which fingerprint? There is a number of keys > > > > Dennis > > The one you were referring to in your posting and which > an ordinary user would verify with: > > gpg --list-keys

Re: More prominent link to verification hashes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Somewhere like archive.org too maybe -- again totally separate inrastructure + it could be used as a un-official 'official' hash vault for checking. On 03/07/2016 08:27 AM, Matthew Miller wrote: > On Mon, Mar 07, 2016 at 08:32:05AM -,

Re: More prominent link to verification hashes

On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote: > > What would be proper other places to confirm the fingerprint? > The following criteria might be reasonable: > - a place that has authority, that people might trust. > - a place that is hard to impersonate, that has some

Re: More prominent link to verification hashes

> What would be proper other places to confirm the fingerprint? The following criteria might be reasonable: - a place that has authority, that people might trust. - a place that is hard to impersonate, that has some protection against unauthorized use - a place that is

Re: More prominent link to verification hashes

On Thu, Feb 25, 2016 at 09:29:26PM +0100, Ralf Senderek wrote: > PS: if you had a long-term signing key it would be its fingerprint. How would an ordinary user use a long-term singing key? Kind regards Till -- devel mailing list devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

On Thu, Feb 25, 2016 at 08:05:59PM +0100, Ralf Senderek wrote: > Thank you for providing this valuable information about the handling > of the private key that enables Fedora ISO signing. This information > should be shared and highlighted as it is helping to create trust in > the use of this key.

Re: More prominent link to verification hashes

On Thu, 25 Feb 2016, Dennis Gilmore wrote: Which fingerprint? There is a number of keys Dennis The one you were referring to in your posting and which an ordinary user would verify with: gpg --list-keys --fingerprint 81B46521 Ralf PS: if you had a long-term signing key it would be its

Re: More prominent link to verification hashes

On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote: > On Thu, 25 Feb 2016, Dennis Gilmore wrote: > > No one has access to the private key. It lives on a server that has no > > services running that listen for connections. There is a service that > > runs > > on > > it that talks

Re: More prominent link to verification hashes

On Thu, 25 Feb 2016, Dennis Gilmore wrote: No one has access to the private key. It lives on a server that has no services running that listen for connections. There is a service that runs on it that talks to the signing bridge. That brokers all requests. Users with access do not know the

Re: More prominent link to verification hashes

On Tuesday, February 23, 2016 10:18:49 PM Ralf Senderek wrote: > On Tue, 23 Feb 2016, Till Maas wrote: > > I used my access to the signing server to verify the key before signing > > it. But why is confirming the fingerprint here a step forward? Why would > > someone search in this mailing list

Re: More prominent link to verification hashes

On Tue, 23 Feb 2016, Till Maas wrote: I used my access to the signing server to verify the key before signing it. But why is confirming the fingerprint here a step forward? Why would someone search in this mailing list for the fingerprint of the gpg key? FWIW, the signing server just gave me a

Re: More prominent link to verification hashes

On Tue, Feb 23, 2016 at 08:13:59PM +0100, Ralf Senderek wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > > > You can already get the keys at various places: > > > > - Fedora website > > - physical DVDs > > - fedora-repos git repository > > - fedora-repos RPM on kojipkgs > > - fedora-repos RPM

Re: More prominent link to verification hashes

On 23 February 2016 at 12:13, Ralf Senderek wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > >> You can already get the keys at various places: >> >> - Fedora website >> - physical DVDs >> - fedora-repos git repository >> - fedora-repos RPM on kojipkgs >> -

Re: More prominent link to verification hashes

On Tue, 23 Feb 2016, Till Maas wrote: You can already get the keys at various places: - Fedora website - physical DVDs - fedora-repos git repository - fedora-repos RPM on kojipkgs - fedora-repos RPM Fedora mirrors - Fedora ISO images on Fedora mirrors - Eventually DNSSEC protected

Re: More prominent link to verification hashes

On Mon, Feb 22, 2016 at 07:22:24PM -, Ralf Senderek wrote: > Yes, for people who look only in one place, the manipulated web server. > But that is the reason why the fingerprint has to pop up in different places > where it is hard to fake. Even if this one user can be tricked, others can >

Re: More prominent link to verification hashes

On Tue, 23 Feb 2016 18:01:29 +0100 Till Maas wrote: > On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote: > > On Mon, 22 Feb 2016 19:45:03 + > > Gregory Maxwell wrote: > > > > I don't think there is any utility in pointing people to a >

Re: More prominent link to verification hashes

On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. The gpg tool

Re: More prominent link to verification hashes

On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote: > On Mon, 22 Feb 2016 19:45:03 + > Gregory Maxwell wrote: > > I don't think there is any utility in pointing people to a keyserver > > here. > > I think it would allow them to check signatures against their web

Re: More prominent link to verification hashes

On Mon, 22 Feb 2016 19:45:03 + Gregory Maxwell wrote: > New users are stateless and little can be done there; at least not > right now when pre-textual security procedures' like Fedora's are > ubiquitous and thus can't be taken as a clear sign of compromise. Right. >

Re: More prominent link to verification hashes

On Tue, 23 Feb 2016 04:12:41 + Zbigniew Jędrzejewski-Szmek wrote: > On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi > > wrote: > > > My point was that you can get the signatures off the

Re: More prominent link to verification hashes

On 02/22/2016 05:34 PM, Stephen John Smoogen wrote: On 22 February 2016 at 13:00, Ralf Senderek wrote: The Fedora team could get a profile and verify the key(s) through github, the Fedora and Red Hat web sites, the Fedora magazine twitter account, and by having the Fedora

Re: More prominent link to verification hashes

Am Mon, 22 Feb 2016 09:29:37 -0700 schrieb Kevin Fenzi : > On Sun, 21 Feb 2016 23:21:58 +0100 > Jens Lody wrote: > > > This can also be done before clicking the link-button, or the > > download splash is also shown without javascript. This should not > > be

Re: More prominent link to verification hashes

On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote: > > My point was that you can get the signatures off the key from the > > keyserver and see if any of them are someone you trust. If not, are > > they connected

Re: More prominent link to verification hashes

For what it is worth, not signing the key is bug 1043276: https://bugzilla.redhat.com/show_bug.cgi?id=1043276 > Date: Mon, 22 Feb 2016 19:47:51 + > From: Gregory Maxwell <gmaxw...@gmail.com> > Subject: Re: More prominent link to verification hashes > To: Development d

Re: More prominent link to verification hashes

On 22 February 2016 at 13:00, Ralf Senderek wrote: > >> The Fedora team could get a profile and verify the key(s) through >> github, the Fedora and Red Hat web sites, the Fedora magazine twitter >> account, and by having the Fedora team all sign publicly. > > Every little

Re: More prominent link to verification hashes

> The Fedora team could get a profile and verify the key(s) through > github, the Fedora and Red Hat web sites, the Fedora magazine twitter > account, and by having the Fedora team all sign publicly. Every little helps. The important step would be if the Fedora devs state the fingerprints in a

Re: More prominent link to verification hashes

On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote: > My point was that you can get the signatures off the key from the > keyserver and see if any of them are someone you trust. If not, are > they connected to someone you trust (hey, look, web of trust). I think > expanding the

Re: More prominent link to verification hashes

On Mon, Feb 22, 2016 at 6:35 PM, Kevin Fenzi wrote: > Well, I agree the instructions could do better, but how would that help > if the site was compromised? The attackers would write their own > instructions. > > In addition to the verify link, the

Re: More prominent link to verification hashes

On Mon, 22 Feb 2016 19:22:24 - "Ralf Senderek" wrote: > > If the site is compromised, most bets are off sadly. > > Yes, for people who look only in one place, the manipulated web > server. But that is the reason why the fingerprint has to pop up in > different places

Re: More prominent link to verification hashes

On 02/22/2016 02:22 PM, Ralf Senderek wrote: If the site is compromised, most bets are off sadly. Yes, for people who look only in one place, the manipulated web server. But that is the reason why the fingerprint has to pop up in different places where it is hard to fake. Even if this one

Re: More prominent link to verification hashes

> If the site is compromised, most bets are off sadly. Yes, for people who look only in one place, the manipulated web server. But that is the reason why the fingerprint has to pop up in different places where it is hard to fake. Even if this one user can be tricked, others can discover that

Re: More prominent link to verification hashes

On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > > > > Since Fedora looks to be moving to Live

Re: More prominent link to verification hashes

On Mon, 22 Feb 2016 18:21:04 - "Ralf Senderek" wrote: > While signing new keys with old release keys would certainly help to > make the attacker's job harder, it doesn't solve the trust problem. I don't think it even makes their job harder. > The one thing people

Re: More prominent link to verification hashes

On Mon, 22 Feb 2016 16:48:29 + Gregory Maxwell wrote: > On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik > wrote: > > One has to jump into the installation guide, in order to find a > > buried link to https://getfedora.org/verify > > The

Re: More prominent link to verification hashes

> On Sun, Feb 21, Gregory Maxwell wrote: > The Fedora 24 key inside it is not signed by any other key. ... > Authenticating keys is hard in general; but existing fedora users > should at least be able to trust-on-first-use chain from earlier keys > to later ones-- assuming the fedora keys are

Re: More prominent link to verification hashes

On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik wrote: > One has to jump into the installation guide, in order to find a buried link > to https://getfedora.org/verify The instructions here have you download a set of PGP keys from the same https webserver which could have

Re: More prominent link to verification hashes

On Sun, 21 Feb 2016 23:21:58 +0100 Jens Lody wrote: > This can also be done before clicking the link-button, or the download > splash is also shown without javascript. This should not be too hard > to implement. https://fedorahosted.org/fedora-websites awaits your ticket.

Re: More prominent link to verification hashes

Adam Williamson writes: On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from

Re: More prominent link to verification hashes

On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > >

Re: More prominent link to verification hashes

Am Sun, 21 Feb 2016 23:08:23 +0100 schrieb Jens Lody : > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany:

Re: More prominent link to verification hashes

Am Sun, 21 Feb 2016 21:35:32 + schrieb Tom Hughes : > On 21/02/16 21:31, Jens Lody wrote: > > > I don't see any hint about verification, if I go to the > > download-site from germany: > > > > https://getfedora.org/de_CH/workstation/download/ > > > > There's just a button,

Re: More prominent link to verification hashes

Am Sun, 21 Feb 2016 10:36:37 -0700 schrieb Kevin Fenzi : > On Sun, 21 Feb 2016 09:32:46 -0500 > Sam Varshavchik wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some > > trojaned ISO download images. > > > > As a curiousity, I went

Re: More prominent link to verification hashes

On 21/02/16 21:31, Jens Lody wrote: I don't see any hint about verification, if I go to the download-site from germany: https://getfedora.org/de_CH/workstation/download/ There's just a button, that directly downloads the iso. You must have javascript disabled for getfedora.org then - if it

Re: More prominent link to verification hashes

On Sun, Feb 21, 2016 at 01:43:54PM -0500, Matthew Miller wrote: > On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > > wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO

Re: More prominent link to verification hashes

On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > Since Fedora looks to be moving to Live USB

Re: More prominent link to verification hashes

On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik wrote: > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > download images. > Since Fedora looks to be moving to Live USB Creator (maybe Fedora Media Writer, TBD) as the primary download for Fedora

Re: More prominent link to verification hashes

On Sun, 21 Feb 2016 09:32:46 -0500 Sam Varshavchik wrote: > So, I see that someone hacked Linux Mint, and slipped in some > trojaned ISO download images. > > As a curiousity, I went to https://getfedora.org, to see how easy it > is to find instructions for verifying the

More prominent link to verification hashes

So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO download images. As a curiousity, I went to https://getfedora.org, to see how easy it is to find instructions for verifying the downloaded images. I couldn't find it. There were many helpful download links, all over