I swear, I'm losing it. Blame it on my age, but I really don't want to think I'm that old, yet.
On Sun, Mar 6, 2011 at 6:43 PM, Andrei Popescu <[email protected]> wrote: > [not snipping in case you want to put it back on the list] Yeah, I did intend to put this on the list, so I can find it again the next time I forget how signing releases works. > On Du, 06 mar 11, 08:54:01, Joel Rees wrote: >> (I really hate embarrassing myself in my first post to a list. But, ...) > > Don't worry, you are not embarrassing yourself. It's very good that you > ask these questions and the procedure is not quite clear. > >> On Sun, Mar 6, 2011 at 12:57 AM, Andrei Popescu >> <[email protected]> wrote: >> > On Sb, 05 mar 11, 23:47:38, Joel Rees wrote: >> >> >> >> I did go to the trouble of pulling the signatures and checksums off of >> >> three different more-or-less randomly chosen mirrors, to check they >> >> were the same, but I'd still feel a little more comfortable taking my >> >> first spin with Debian if there were more evidence that the key that >> >> the CDs are being signed with is officially claimed by the project. >> > >> > $ gpg --list-sigs 6294BE9B >> > pub 4096R/6294BE9B 2011-01-05 >> > uid Debian CD signing key <[email protected]> >> > sig 3442684E 2011-01-05 Steve McIntyre <[email protected]> >> > sig A40F862E 2011-01-05 Neil McGovern <[email protected]> >> > sig 95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11) >> > sig 63C7CC90 2011-01-05 Simon McVittie <[email protected]> >> > sig 3 6294BE9B 2011-01-05 Debian CD signing key >> > <[email protected]> >> > sub 4096R/11CD9819 2011-01-05 >> > sig 6294BE9B 2011-01-05 Debian CD signing key >> > <[email protected]> >> >> Well, sure, if I have those in my gnupg keystore (or whatever that was >> called). >> >> I'm downloading and checking the timestamp/signature on a workstation >> with Fedora on it. Which means that I had to dig back through the >> gnupg docs and the debian documentation site to figure out to do the >> >> gpg --keyserver keyring.debian.org --recv-keys 6294BE9B >> >> and, even then, I get a message that the userid can't be found on each >> of those userids. Oh. >> >> Now that I do a >> >> gpg --keyserver keyring.debian.org --recv-keys 3442684E A40F862E >> C542CD59 63C7CC90 1B3045CE >> >> I get the names and e-mail addresses associated with the keys. >> >> > Now you need to find a trust-path to one of them. If you have a trusted >> > Debian system you can install the package debian-keyring, which should >> > contain at least one (most probably all) of the keys above. >> >> Is there an RPM for that? ;-/ >> >> Actually, an RPM for it might not be a bad idea, for perpetual newbies >> like me. :-( Except that I wouldn't really want Debian keys mixed with >> Fedora keys in the Fedora system. (I pulled the Debian keys into a >> non-admin user on the Fedora system that I never use, except for for >> going to places I think I can trust for downloading system software.) >> >> However, If the CD signing key had shown up in an announcement like >> the archiving keys did, I'd be sure enough that the key is both from >> the debian organization and that it is valid. (Out-of-band >> confirmation.) I trust the sites under debian.org for this more than I >> trust random keyservers I've never heard of. > > I agree that the CD signing key should be announced as well, but you > sure are aware that this is not a real trust-path either. Right. That's why I compare (diff or cmp) the posted checksums from several randomly chosen mirrors. Reduces the chance of a man-in-the-middle going unnoticed, and of getting a rogue mirror, etc. If someone doesn't beat me to it, I plan someday to build a tool that takes the mirror list, automatically picks several, and pulls the checksums off each to compare them. Still not ironclad, but adds another low-to-medium wall for all but the truly motivated attackers. I've also got to start getting around to the local conferences so I can start working on the human networking thing. > You might want to post to debian-cd about this, but do search the > archives first, in case it was already discussed. Don't see anything there back to January. Should I cross-post this? 8-p >> And I trust keyring.debian.org as much for this as I trust the gnu.org >> keyserver for it. >> >> I did, eventually, find the tracking list for the keyring package, but >> by then I wasn't sure what I was looking at any more, it was late, and >> I couldn't keep my eyes open. (Dang, I hate getting old.) >> >> >> Okay, I did a gpg --recv-keys on the key 6294BE9B from >> >> keyring.debian.org , and tried gpg --verify on the downloaded netinst >> >> image, and got the bad signature message. (I think I got the syntax >> >> right.) >> >> (erk. Thought I had.) >> >> > Do you mind posting the exact commands used and output? >> >> Heh. >> >> Here's the wrong command I used: >> >> gpg --verify SHA512SUMS.sign debian-6.0.0-i386-netinst.iso >> >> While I was taking a shower, I realized that the list of checksums was >> what was signed, not the CD image. >> >> gpg --verify SHA512SUMS.sign SHA512SUMS >> >> produces the valid signature result. I had previously used openssl to >> check the checksums, so I knew the checksums matched, just didn't have >> full confidence that the signing key was correct until I figured out >> the semantic error in my syntax. I mean, until I realized I was >> checking the signature against the wrong file. > > At least this part is now clear ;) Yeah, thanks. > Regards, > Andrei > -- > If you can't explain it simply, you don't understand it well enough. > (Albert Einstein) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBCAAGBQJNc1c/AAoJEHNWs3jeoi3pZKwH/0l8e/yBgbW2irj7NLDBTO0Y > J6FWDMfVl6EcfYeXbpUtP9kmxbhUCyEirt+cr15S1WZzOW+OglLhWOktLO6pNQUx > iCXVLAeDqa1rMPJh4+hDI1Cgd+nNJ1XFPzaZ+6wKCarS1R8PDV3ODQxUgv91mDrY > AiL5RQSycsNIZrgWpXEY1Ay34GuVFGRagiJa95XJFduD9OtQjejNcM2JQI18i6mR > uNqP1tWRlSqZgz/KRxum1YtzCeN/o9lriPotZk1rWc6/LUwRxy5FpOjjNuM9fkTA > mhY2mW274xsoaTB8P22BS695dPYpvy0co0HrjLqx8BQl8YDfSVM5nXGx+Bm2tyU= > =HJSE > -----END PGP SIGNATURE----- > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
