(Top posting to avoid zig-zag)
Testing your OpenSSL download with the HTTPS security bites its
own tail, especially if your download tool uses an (older) version
of OpenSSL to check the connection.
But unless you have an established personal list of GPG/PGP keys
you have checked against their holders in person yourself, checking
the HTTPS certificate of the OpenSSL.org web server is pretty much
all you can do to distinguish between a genuine and a fake first time
OpenSSL download (signatures on later downloads can be compared to
previous downloadsfor some degree of signature consistency).
Of cause some real knowledge is needed to not use the OpenSSL source
code incorrectly, unless you are merely compiling other peoples
software exactly as instructed.
Personally, I would prefer if there also was a detached CMS signature
with an EV software signing certificate independently validated as
belonging to the real OpenSSL foundation.
On 12/09/2018 22:56, Chris Outwin wrote:
Thank you very much for your helpful reply.
I’m a graphics programmer with no experience in PGP. The shell script I have calls:
OPENSSL_ARCHIVE_URL="https://www.openssl.org/source/old/${BRANCH}/${OPENSSL_ARCHIVE_FILE_NAME}”
in the process of downloading OpenSSL for use in building an iOS static
implementation. Does https have a reasonable level of security? I believe I can
include a block of code in the script to do a checksum.
On Sep 12, 2018, at 1:42 PM, Michael Wojcik <michael.woj...@microfocus.com>
wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Matt Caswell
Sent: Wednesday, September 12, 2018 14:29
On 12/09/18 19:24, Chris Outwin wrote:
I’m an OpenSSL newbie and this is my first post. I’m using OpenSSL for
receipt validation in an iOS application.
Is there a list of checksums to verify openssl download versions?
Next to each download on the website there are links for SHA256/PGP/SHA1
checksums.
https://www.openssl.org/source/
I'd strongly recommend verifying the PGP (OpenPGP, gpg) signature on the
tarball. The signature files are right there alongside the tarballs.
If you're new to gpg (or whatever OpenPGP implementation of your choice),
there's a bit of learning and setup to do: you'll need to fetch the appropriate
key from a public keyserver or other trustworthy (-ish) source to fully verify
the signature, and you'll probably want to mark the key as trusted so the
output from gpg is clear.
But once you've done that, it's very easy to verify the signature, and to
automate the process if you prefer. And the signatures add a bit of
defense-in-depth because publishing a tampered-with tarball would require
subverting the private key as well as to the OpenSSL web server. (If you're
just checking the SHA256 hash, an attacker could either get access to the
OpenSSL web server, or force you to a counterfeit server, for example via DNS
cache poisoning. And due to the systemic brokenness of the web PKI, it's pretty
easy to fool a lot of people with a counterfeit server.)
So do the work now to set yourself up for verifying the signature, and
inculcate a good habit.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
