On 23/10/17 19:14, Oskar Lundström wrote:
> Is there a way to download the source code of dnsmasq over HTTPS? 
> Alternatively, a hash fingerprint of the source code, which is supplied over 
> a secure connection (like HTTPS).

All the tarballs are signed with my public key, fingerprint E19135A2,
which can be obtained in a trusted manner from, amongst other places,
the Debian keyserver.

gpg --keyserver keyring.debian.org --recv-keys E19135A2

Download the tarball from the server and the signature file,


dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz

and verify that the signature matches:

srk@holly:~$ gpg --verify dnsmasq-2.78.tar.gz.asc dnsmasq-2.78.tar.gz
gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID E19135A2
gpg: Good signature from "Simon Kelley <si...@thekelleys.org.uk>"
gpg:                 aka "Simon Kelley <s...@debian.org>"

Which tells you that the tarball/signature pair could only have been
created by someone in possession of the private key matching the public
key you downloaded in the first step. Neither can be altered without
breaking the verification. Therefore, as long as you trust the Debian
keyserver to give you the correct public key, the source code cannot
have been altered.

Test and release-candidates are signed with a different key. (they are
signed automatically, so the private key has to exist on the server
without a protecting passphrase, which exposes it to sever security: I
don't want to do that to my main key.) That key is downloadable from the
website, and it has fingerprint 7F7EF234

I'll sign this message with my main public key, so you can trust the
fingerprint above, and be sure you got an untampered copy of that key.

That provides rather more certainty than a dodgy certificate on an https



Attachment: signature.asc
Description: OpenPGP digital signature

Dnsmasq-discuss mailing list

Reply via email to