Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   The "CD signing key" (6294BE9B) (http://www.linux-archive.org/debian-user/497532-cd-signing-key-6294be9b.html)

Joel Rees 03-05-2011 01:47 PM

The "CD signing key" (6294BE9B)
 
I found three posts on this back in January,

http://lists.debian.org/debian-user/2011/01/msg01775.html

but the documentation still says nothing about why the "CD signing
key" should be different from the archive key and why the CD signing
key was never announced, etc.

I did go to the trouble of pulling the signatures and checksums off of
three different more-or-less randomly chosen mirrors, to check they
were the same, but I'd still feel a little more comfortable taking my
first spin with Debian if there were more evidence that the key that
the CDs are being signed with is officially claimed by the project.

Okay, I did a gpg --recv-keys on the key 6294BE9B from
keyring.debian.org , and tried gpg --verify on the downloaded netinst
image, and got the bad signature message. (I think I got the syntax
right.)

So, what gives, here? Anybody care to give me a clue?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikDy7J1bbnYxbkRe9ovpEwixO4Tej19TfnqN2oc@mail .gmail.com">http://lists.debian.org/AANLkTikDy7J1bbnYxbkRe9ovpEwixO4Tej19TfnqN2oc@mail .gmail.com

Camaleón 03-05-2011 02:28 PM

The "CD signing key" (6294BE9B)
 
On Sat, 05 Mar 2011 23:47:38 +0900, Joel Rees wrote:

> I found three posts on this back in January,
>
> http://lists.debian.org/debian-user/2011/01/msg01775.html
>
> but the documentation still says nothing about why the "CD signing key"
> should be different from the archive key and why the CD signing key was
> never announced, etc.

(...)

IIRC, it was announced on "debian-user-announce" mailing list:

Debian Archive Signing Key to be changed
http://www.debian.org/News/2011/20110209

And if I catched correctly, it means that verifying the signature of
testing/sid packages from squeeze/lenny will just give a warning because
the package holding the new keys (debian-archive-keyring) has to be
released.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.03.05.15.28.04@gmail.com">http://lists.debian.org/pan.2011.03.05.15.28.04@gmail.com

Andrei Popescu 03-05-2011 02:57 PM

The "CD signing key" (6294BE9B)
 
On Sb, 05 mar 11, 23:47:38, Joel Rees wrote:
>
> I did go to the trouble of pulling the signatures and checksums off of
> three different more-or-less randomly chosen mirrors, to check they
> were the same, but I'd still feel a little more comfortable taking my
> first spin with Debian if there were more evidence that the key that
> the CDs are being signed with is officially claimed by the project.

$ gpg --list-sigs 6294BE9B
pub 4096R/6294BE9B 2011-01-05
uid Debian CD signing key <debian-cd@lists.debian.org>
sig 3442684E 2011-01-05 Steve McIntyre <steve@einval.com>
sig A40F862E 2011-01-05 Neil McGovern <maulkin@halon.org.uk>
sig 95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11)
sig 63C7CC90 2011-01-05 Simon McVittie <smcv@pseudorandom.co.uk>
sig 3 6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org>
sub 4096R/11CD9819 2011-01-05
sig 6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org>

Now you need to find a trust-path to one of them. If you have a trusted
Debian system you can install the package debian-keyring, which should
contain at least one (most probably all) of the keys above.

> Okay, I did a gpg --recv-keys on the key 6294BE9B from
> keyring.debian.org , and tried gpg --verify on the downloaded netinst
> image, and got the bad signature message. (I think I got the syntax
> right.)

Do you mind posting the exact commands used and output?

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

Joel Rees 03-07-2011 11:09 AM

The "CD signing key" (6294BE9B)
 
I swear, I'm losing it. Blame it on my age, but I really don't want to
think I'm that old, yet.

On Sun, Mar 6, 2011 at 6:43 PM, Andrei Popescu <andreimpopescu@gmail.com> wrote:
> [not snipping in case you want to put it back on the list]

Yeah, I did intend to put this on the list, so I can find it again the
next time I forget how signing releases works.

> On Du, 06 mar 11, 08:54:01, Joel Rees wrote:
>> (I really hate embarrassing myself in my first post to a list. But, ...)
>
> Don't worry, you are not embarrassing yourself. It's very good that you
> ask these questions and the procedure is not quite clear.
>
>> On Sun, Mar 6, 2011 at 12:57 AM, Andrei Popescu
>> <andreimpopescu@gmail.com> wrote:
>> > On Sb, 05 mar 11, 23:47:38, Joel Rees wrote:
>> >>
>> >> I did go to the trouble of pulling the signatures and checksums off of
>> >> three different more-or-less randomly chosen mirrors, to check they
>> >> were the same, but I'd still feel a little more comfortable taking my
>> >> first spin with Debian if there were more evidence that the key that
>> >> the CDs are being signed with is officially claimed by the project.
>> >
>> > $ gpg --list-sigs 6294BE9B
>> > pub * 4096R/6294BE9B 2011-01-05
>> > uid * * * * * * * * *Debian CD signing key <debian-cd@lists.debian.org>
>> > sig * * * * *3442684E 2011-01-05 *Steve McIntyre <steve@einval.com>
>> > sig * * * * *A40F862E 2011-01-05 *Neil McGovern <maulkin@halon.org.uk>
>> > sig * * * * *95861109 2011-01-23 *Ben Hutchings (DOB: 1977-01-11)
>> > sig * * * * *63C7CC90 2011-01-05 *Simon McVittie <smcv@pseudorandom.co.uk>
>> > sig 3 * * * *6294BE9B 2011-01-05 *Debian CD signing key <debian-cd@lists.debian.org>
>> > sub * 4096R/11CD9819 2011-01-05
>> > sig * * * * *6294BE9B 2011-01-05 *Debian CD signing key <debian-cd@lists.debian.org>
>>
>> Well, sure, if I have those in my gnupg keystore (or whatever that was called).
>>
>> I'm downloading and checking the timestamp/signature on a workstation
>> with Fedora on it. Which means that I had to dig back through the
>> gnupg docs and the debian documentation site to figure out to do the
>>
>> gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>>
>> and, even then, I get a message that the userid can't be found on each
>> of those userids. Oh.
>>
>> Now that I do a
>>
>> gpg --keyserver keyring.debian.org --recv-keys 3442684E A40F862E
>> C542CD59 63C7CC90 1B3045CE
>>
>> I get the names and e-mail addresses associated with the keys.
>>
>> > Now you need to find a trust-path to one of them. If you have a trusted
>> > Debian system you can install the package debian-keyring, which should
>> > contain at least one (most probably all) of the keys above.
>>
>> Is there an RPM for that? ;-/
>>
>> Actually, an RPM for it might not be a bad idea, for perpetual newbies
>> like me. :-( Except that I wouldn't really want Debian keys mixed with
>> Fedora keys in the Fedora system. (I pulled the Debian keys into a
>> non-admin user on the Fedora system that I never use, except for for
>> going to places I think I can trust for downloading system software.)
>>
>> However, If the CD signing key had shown up in an announcement like
>> the archiving keys did, I'd be sure enough that the key is both from
>> the debian organization and that it is valid. (Out-of-band
>> confirmation.) I trust the sites under debian.org for this more than I
>> trust random keyservers I've never heard of.
>
> I agree that the CD signing key should be announced as well, but you
> sure are aware that this is not a real trust-path either.

Right. That's why I compare (diff or cmp) the posted checksums from
several randomly chosen mirrors. Reduces the chance of a
man-in-the-middle going unnoticed, and of getting a rogue mirror, etc.

If someone doesn't beat me to it, I plan someday to build a tool that
takes the mirror list, automatically picks several, and pulls the
checksums off each to compare them. Still not ironclad, but adds
another low-to-medium wall for all but the truly motivated attackers.

I've also got to start getting around to the local conferences so I
can start working on the human networking thing.

> You might want to post to debian-cd about this, but do search the
> archives first, in case it was already discussed.

Don't see anything there back to January. Should I cross-post this? 8-p

>> And I trust keyring.debian.org as much for this as I trust the gnu.org
>> keyserver for it.
>>
>> I did, eventually, find the tracking list for the keyring package, but
>> by then I wasn't sure what I was looking at any more, it was late, and
>> I couldn't keep my eyes open. (Dang, I hate getting old.)
>>
>> >> Okay, I did a gpg --recv-keys on the key 6294BE9B from
>> >> keyring.debian.org , and tried gpg --verify on the downloaded netinst
>> >> image, and got the bad signature message. (I think I got the syntax
>> >> right.)
>>
>> (erk. Thought I had.)
>>
>> > Do you mind posting the exact commands used and output?
>>
>> Heh.
>>
>> Here's the wrong command I used:
>>
>> gpg --verify SHA512SUMS.sign debian-6.0.0-i386-netinst.iso
>>
>> While I was taking a shower, I realized that the list of checksums was
>> what was signed, not the CD image.
>>
>> gpg --verify SHA512SUMS.sign SHA512SUMS
>>
>> produces the valid signature result. I had previously used openssl to
>> check the checksums, so I knew the checksums matched, just didn't have
>> full confidence that the signing key was correct until I figured out
>> the semantic error in my syntax. I mean, until I realized I was
>> checking the signature against the wrong file.
>
> At least this part is now clear ;)

Yeah, thanks.

> Regards,
> Andrei
> --
> If you can't explain it simply, you don't understand it well enough.
> (Albert Einstein)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEcBAEBCAAGBQJNc1c/AAoJEHNWs3jeoi3pZKwH/0l8e/yBgbW2irj7NLDBTO0Y
> J6FWDMfVl6EcfYeXbpUtP9kmxbhUCyEirt+cr15S1WZzOW+Ogl LhWOktLO6pNQUx
> iCXVLAeDqa1rMPJh4+hDI1Cgd+nNJ1XFPzaZ+6wKCarS1R8PDV 3ODQxUgv91mDrY
> AiL5RQSycsNIZrgWpXEY1Ay34GuVFGRagiJa95XJFduD9OtQje jNcM2JQI18i6mR
> uNqP1tWRlSqZgz/KRxum1YtzCeN/o9lriPotZk1rWc6/LUwRxy5FpOjjNuM9fkTA
> mhY2mW274xsoaTB8P22BS695dPYpvy0co0HrjLqx8BQl8YDfSV M5nXGx+Bm2tyU=
> =HJSE
> -----END PGP SIGNATURE-----
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTik=p0UFt8QmQAnco406fnG8Xb6E-_iyLYiBWDOd@mail.gmail.com">http://lists.debian.org/AANLkTik=p0UFt8QmQAnco406fnG8Xb6E-_iyLYiBWDOd@mail.gmail.com

Andrei Popescu 03-08-2011 08:32 AM

The "CD signing key" (6294BE9B)
 
On Lu, 07 mar 11, 21:09:14, Joel Rees wrote:
>
> I've also got to start getting around to the local conferences so I
> can start working on the human networking thing.

Debconf 11 will be held in Banja Luka, Bosnia-Herzegovina, closer to me
than ever. If nothing unexpected comes up I'll try to be there at least
for a few days.

> > You might want to post to debian-cd about this, but do search the
> > archives first, in case it was already discussed.
>
> Don't see anything there back to January. Should I cross-post this? 8-p

IMVHO a short summary will do.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


All times are GMT. The time now is 12:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.