Re: OpenSSL version 1.0.1g release signed with unauthorized key???

Wed, 09 Apr 2014 16:28:23 -0700

Attention: The .asc file I downloaded directly from openssl.org for the 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt file distributed in previous tarballs, nor by the (unverifiable) fingerprints.txt available from 

   http://www.openssl.org/docs/misc/
Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, but with a different identifier and a different e-mail address 
than the authorized key listed for him in fingerprints.txt.

I suspect this is just a mixup at your end, but one cannot feel too
sure without a valid file signature consistent with the securely distributed signature list. 

For now, I will have to avoid installing this critical security update
and try the workaround instead.

On 4/7/2014 7:38 PM, OpenSSL wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


    OpenSSL version 1.0.1g released
    ===============================

    OpenSSL - The Open Source toolkit for SSL/TLS
    http://www.openssl.org/

    The OpenSSL project team is pleased to announce the release of
    version 1.0.1g of our open source toolkit for SSL/TLS. For details
    of changes and known issues see the release notes at:

         http://www.openssl.org/news/openssl-1.0.1-notes.html

    OpenSSL 1.0.1g is available for download via HTTP and FTP from the
    following master locations (you can find the various FTP mirrors under
    http://www.openssl.org/source/mirror.html):

      * http://www.openssl.org/source/
      * ftp://ftp.openssl.org/source/

    The distribution file name is:

     o openssl-1.0.1g.tar.gz
       Size: 4509047
       MD5 checksum: de62b43dfcd858e66a74bee1c834e959
       SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

    The checksums were calculated using the following commands:

     openssl md5 openssl-1.0.1g.tar.gz
     openssl sha1 openssl-1.0.1g.tar.gz

    Yours,

    The OpenSSL Project Team.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1
ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN
TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e
uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU
jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k
+gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR
zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF
N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/
4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6
pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0
kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k
iI/CjhJrI2B83C48m2kE
=lxo1
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Announcement Mailing List                 openssl-annou...@openssl.org
Automated List Manager                           majord...@openssl.org




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to