Just thinking out loud: if Marc-André's purpose is to validate content that
was downloaded via insecure http, then a gpg key downloaded via insecure
http is somewhat pointless. I mean, statistically, chances are a bit better
that only one of both connections gets manipulated (if at all), but still,
the whole process in itself is vulnerable.
Mit freundlichen Grüßen / Kind regards
Jonathan (Nathan) Hermann
IT Specialist HPC and HPSS
Global Technology Services / Data Center Services
IBM Deutschland
IBM-Allee 1
71139 Ehningen
Phone: +49-160-98976942
E-Mail: [email protected]
IBM Deutschland Infrastructure Technology Services GmbH
Geschäftsführung: Hendrik Meyer
Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB
727973
From: Xiao Peng Wang <[email protected]>
To: xCAT Users Mailing list <[email protected]>
Date: 01.07.2015 04:32
Subject: Re: [xcat-user] how to validate gpg key.
There's one here:
http://sourceforge.net/projects/xcat/files/ubuntu/apt.key/download
Thanks
Best Regards
----------------------------------------------------------------------
Wang Xiaopeng (王晓朋)
IBM China System Technology Laboratory
Tel: 86-10-82453455
Email: [email protected]
Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road,
Haidian District Beijing P.R.China 100193
(Embedded image moved to file: pic52496.gif)Inactive hide details for
Marc-andré Labonté ---2015/06/30 01:38:35---Hi all, I have downloaded
xcat-core and xcat-dep tar ballMarc-andré Labonté ---2015/06/30
01:38:35---Hi all, I have downloaded xcat-core and xcat-dep tar balls and i
am trying to
From: Marc-andré Labonté <[email protected]>
To: <[email protected]>
Date: 2015/06/30 01:38
Subject: [xcat-user] how to validate gpg key.
Hi all,
I have downloaded xcat-core and xcat-dep tar balls and i am trying to
find a way to authenticate them prior using them.
First, the downloads are being done over http so they can be manipulated
by whoever has access to my traffic. I was unsuccessful with trying to
use https download links. There is always the possibility i might be
getting a slightly different (compromised) tar ball.
I've found a gpg key located in repodata (repomd.xml.key) in both tar
balls.
The key i've got has the following ID and fingerprint:
gpg --fingerprint C6565BC9
pub 1024D/C6565BC9 2015-01-07
Key fingerprint = F75B 1BF6 78B6 44FD F3AA CFC8 60A3 E9AC C656 5BC9
uid xCAT Security Key <[email protected]>
It can also validate the repomd.xml signature and rpm -K on files do
report the same key id to be missing:
rpm -K xCAT-server-2.9.1-snap201503190325.noarch.rpm
xCAT-server-2.9.1-snap201503190325.noarch.rpm: (SHA1) DSA sha1 md5 (GPG)
NOT OK (MISSING KEYS: GPG#c6565bc9)
Good news, once i know i've got the right key, i should be able to
proceed with installing the rpms.
Does everyone here is also getting key ID C6565BC9 with the tar balls?
Could xCAT security key be published on the web site, preferably on a
page that can be accessed over https to increase the level of confidence
our downloads are not being tampered with?
I already published the key i've got to Fedora's public key server here
so others can compare:
https://keys.fedoraproject.org/pks/lookup?search=0xC6565BC9&op=vindex
regards
Marc-andre
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
