[
https://issues.apache.org/jira/browse/APLO-372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hiram Chirino resolved APLO-372.
--------------------------------
Resolution: Won't Fix
Assignee: Hiram Chirino
The trusted GPG sigs are listed at:
http://activemq.apache.org/apollo/download.html
If want to double check to see who's keys are trusted to sign the release,
check out the KEYS file in the project's SCM repository:
https://git-wip-us.apache.org/repos/asf?p=activemq-apollo.git;a=tree
> Useless gpg signature
> ---------------------
>
> Key: APLO-372
> URL: https://issues.apache.org/jira/browse/APLO-372
> Project: ActiveMQ Apollo
> Issue Type: Bug
> Components: apollo-distro
> Affects Versions: 1.7
> Reporter: Hadmut Danisch
> Assignee: Hiram Chirino
>
> Hi,
> when downloading apollo from the download network, the connection is not
> trusted and can easily spoofed. Therefore, apollo comes with a pgp signature.
> However, this signature is completely useless for two reasons:
> 1) The key is named
> Hiram Chirino <[email protected]>
> who is that? Is he a developer or simply a random name chosen by the
> attacker? How should one know whether he is authorized to release code?
> 2) The key is not signed by anyone else and there is no fingerprint on any
> webpage, absolutely no way to verify authenticity.
> So whoever is able to replace the software release with a modified version,
> could as well replace the signature file with one signed by the attacker
> himself, after generating a random key with a random name, either Hiram
> Chirino, Donald Duck, or Batman.
> So providing the gpg signature is absolutely pointless and does not raise
> security at all. But it raises the question whether the security of apollo
> itself could be any better then.
> regards
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
