On 2020-04-23 4:30 p.m., Simon Deziel wrote:
> On 2020-04-23 3:55 p.m., David Sommerseth wrote:
>> On 23/04/2020 19:55, Simon Deziel wrote:
>>> On 2020-04-21 1:41 p.m., David Sommerseth wrote:
>>>> On 21/04/2020 18:32, Simon Deziel wrote:
>>>>> Hello,
>>>>>
>>>>> I cannot validate the Windows exe files [1] and [2] using the key
>>>>> advertised in [3].
>>>>>
>>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win7.exe.asc
>>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win7.exe'
>>>>> gpg: Signature made Fri 17 Apr 2020 07:25:11 AM EDT
>>>>> gpg: using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
>>>>> gpg: Can't check signature: No public key
>>>>>
>>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win10.exe.asc
>>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win10.exe'
>>>>> gpg: Signature made Fri 17 Apr 2020 07:25:00 AM EDT
>>>>> gpg: using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
>>>>> gpg: Can't check signature: No public key
>>>>>
>>>>>
>>>>> $ gpg --list-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>>>>> pub rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07]
>>>>> Key fingerprint = F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7
>>>>> uid [ unknown] OpenVPN - Security Mailing List
>>>>> <secur...@openvpn.net>
>>>>>
>>>>>
>>>>> Did I download the right files?
>>>>>
>>>>> $ sha256sum openvpn-install-2.4.9-I601-Win*
>>>>> 4f95a674c3ffafd85062df995a182cfb57ca56d96084472a48a65c546c815f0c
>>>>> openvpn-install-2.4.9-I601-Win10.exe
>>>>> 340a6b917c5358a18e4ed283669e8d59073720184dba2d1f2965512c9cac18ad
>>>>> openvpn-install-2.4.9-I601-Win10.exe.asc
>>>>> 495754e6f3e40a056b947d496729f3ba78aaf0458d80ff08991c27bddf386139
>>>>> openvpn-install-2.4.9-I601-Win7.exe
>>>>> b15e4b34756446589cc609d5d08fe5daba98c34463135b7abfab1538722c4c4e
>>>>> openvpn-install-2.4.9-I601-Win7.exe.asc
>>>>
>>>>
>>>> Try refreshing the PGP keys. We pushed out new keys in early March, but
>>>> seems
>>>> the web page was not updated.
>>>>
>>>> $ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>>>>
>>>> This should do the proper key update and the verification should work just
>>>> fine. We always publish the security public key to key servers whenever
>>>> they
>>>> are updated.
>>>
>>> I tried all the above and even did so in a fresh container. The subkey
>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 simply not there:
>>>
>>
>> This is really weird. From my own test:
>>
>> [user@host ~]$ gpg --list-keys | wc -l
>> 0
>> [user@host ~]$ gpg --recv-key F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>>
>>
>> gpg: requesting key 2F2B01E7 from hkp server keys.gnupg.net
>
> Indeed, pulling from that key server picked the 'new' subkey.
>
>> gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List
>> <secur...@openvpn.net>" imported
>> gpg: no ultimately trusted keys found
>> gpg: Total number processed: 1
>> gpg: imported: 1 (RSA: 1)
>> [user@host ~]$ gpg --edit F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>> gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>>
>> pub 4096R/2F2B01E7 created: 2017-02-09 expires: 2027-02-07 usage: SC
>> trust: unknown validity: unknown
>> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN -
>> Security Mailing List <secur...@openvpn.net>
>> sub 4096R/F6D9F8D7 created: 2017-02-09 revoked: 2019-02-04 usage: E
>> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN -
>> Security Mailing List <secur...@openvpn.net>
>> sub 4096R/8CC2B034 created: 2017-02-09 revoked: 2019-02-04 usage: S
>> sub 4096R/AF131CAE created: 2018-03-07 expired: 2019-03-07 usage: S
>> sub 4096R/907F94CF created: 2018-03-07 expired: 2019-03-07 usage: E
>> sub 4096R/5ACFEAC6 created: 2019-02-04 expired: 2020-03-09 usage: S
>> sub 4096R/3FEA78DB created: 2019-02-04 expired: 2020-03-09 usage: E
>> sub 4096R/005D6BB4 created: 2020-02-21 expires: 2021-03-05 usage: S
>> <<<<< The key which is used
>> sub 4096R/5EABA192 created: 2020-02-21 expires: 2021-03-05 usage: E
>> [ unknown] (1). OpenVPN - Security Mailing List <secur...@openvpn.net>
>>
>>
>> Which key server do you try to fetch from? Might be we need to do
>> some additional pushes to some servers.
>
> Stock default Ubuntu pulls from hkps://keys.openpgp.org which doesn't
> have the new subkey.
Same for Debian it seems and this goes back to July 2019 according to
gpg's changelog:
gnupg2 (2.2.17-1) unstable; urgency=medium
Upstream GnuPG now defaults to not accepting third-party certifications
from the keyserver network. Given that the SKS keyserver network is
under attack via certificate flooding, and third-party certifications
will not be accepted anyway, we now ship with the more
tightly-constrained and abuse-resistant system hkps://keys.openpgp.org
as the default keyserver.
Users with bandwidth to spare who want to try their luck with the SKS
pool should add the following line to ~/.gnupg/dirmngr.conf to revert to
upstream's default keyserver:
keyserver hkps://hkps.pool.sks-keyservers.net
See the 2.2.17 section in the upstream NEWS file at
/usr/share/doc/gnupg/NEWS.gz for more information about fully
reverting to the old, risky behavior.
-- Daniel Kahn Gillmor <d...@fifthhorseman.net> Thu, 11 Jul 2019
22:12:07 -0400
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
