HI, I am trying to verify openvpn downloads with signatures but there appears to be something wrong ?
arby@mint64-dik-xpc ~/Downloads $ gpg --list-keys /home/arby/.gnupg/pubring.gpg ----------------------------- pub 1024D/198D22A3 2009-11-21 uid Samuli Seppänen <samuli.seppa...@gmail.com> sub 2048g/CF6D46CF 2009-11-21 pub 1024D/1FBF51F3 2003-11-20 uid James Yonan <j...@yonan.net> sub 2048g/4B9741E3 2003-11-20 pub 2048R/E158C569 2011-08-03 [expires: 2017-08-04] uid Samuli Seppänen (OpenVPN Technologies, Inc) <sam...@openvpn.net> sub 2048R/F5699905 2011-08-03 [expires: 2017-08-04] arby@mint64-dik-xpc ~/Downloads $ gpg --import openvpn-install-2.3.10-I002-i686.exe.asc gpg: no valid OpenPGP data found. gpg: Total number processed: 0 arby@mint64-dik-xpc ~/Downloads $ gpg -v --verify openvpn-install-2.3.10-I002-i686.exe.asc openvpn-install-2.3.10-I002-i686.exe gpg: armour header: Version: GnuPG v1 gpg: Signature made Mon 01 Feb 2016 12:45:32 GMT using DSA key ID 198D22A3 gpg: using PGP trust model gpg: Good signature from "Samuli Seppänen <samuli.seppa...@gmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0330 0E11 FED1 6F59 715F 9996 C29D 97ED 198D 22A3 gpg: binary signature, digest algorithm SHA1 arby@mint64-dik-xpc ~/Downloads $ I verified that the fingerprint matches Samuli's KFP. Is this considered to be sufficient ? Am I doing something wrong ? arby@mint64-dik-xpc ~/Downloads $ gpg --version gpg (GnuPG) 1.4.16 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cypher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ========== Also, at the bottom of this page o https://openvpn.net/index.php/open-source/documentation/sig.html it says: "GnuPG signature files for OpenVPN file releases are available on the download page." The Download page points to: https://openvpn.net/index.php/open-source/downloads/58-open-source/downloads/49-downloads.html On that page there is *no* information about OpenVPN-CE/OSS .. there is *only* links for Access-Server and AS_Virtual-Appliance ========== Related, are there any Valid reasons why openvpn does *not* publish SHAx hash for the downloads ? This only has to be done once for all downloads .. Especially considering that OpenSSL publish full SHA1/SHA256 hash for openssl ... TIA. -- ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
