[Hi, Dave! It looks like your original message bounced because the address wasn't subscribed. I'm quoting it in full below.]
Dave Hart <daveh...@gmail.com> wrote: >On Fri, Nov 18, 2011 at 20:40, Nick Mathewson <ni...@freehaven.net> wrote:>> >Libevent 2.0.16-stable is now tagged and released. The package is>> available >from the *shiny new website* at http://libevent.org/ .>>>> There are GPG >signatures there too; you should probably verify them,>> to make sure you get >the software you think you are getting.>> Cryptographic signatures are a great >thing, but where is one supposed> to get a trustworthy copy of the public key >used to sign it? From the> same website? From 3rd party PGP/GPG keyservers? So, the key to use is 165733ea; it's on the keyservers for me, and hasn't changed for a while. It's got some pretty decent signatures on it; if you're connected to any debian folks, you should have a decent web-of-trust path to me. pub 3072R/165733EA 2004-07-03 Key fingerprint = B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA uid Nick Mathewson <ni...@alum.mit.edu> uid Nick Mathewson <ni...@wangafu.net> uid Nick Mathewson <ni...@freehaven.net> It's also the same key that signs the tags in the libevent git repository, so if you are sure you're getting the real libevent git repository, you can see which key is signing the tags there. > I haven't tried > verifying the detached signature to know which key is used and who has > cross-signed that key, but I'm wondering how difficult it would be to > host libevent._com_ with a trojaned libevent signed with a GPG key > available from public PGP/GPG keyservers with an email address listed > for the key like rele...@libevent.com... Yup; somebody could sure do that. Folks should make sure that it's not just a "valid" signature, but that it's a valid signature _from me_, using the right (well and thoroughly signed) key. As an added protection, all the downloads listed from the site are now at URLs under https://github.com/libevent/libevent/... So if you're getting your packages from there, you can be pretty sure that they're right, unless somebody has compromised github, or github has turned evil, or somebody has compromised my github account (or Niels's), or somebody has tricked a CA into signing a bad github.com certificate, or etc etc etc. (I note with some sadness that there are only about 2.5% of the people who are downloading the package are also downloading the signatures. I have no idea how many are checking which URLs they're actually getting the packages from. Scary stuff.) -- Nick *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
