Il 24/04/20 00:15, Simon Deziel ha scritto: > On 2020-04-23 5:08 p.m., David Sommerseth wrote: >> On 23/04/2020 22:30, Simon Deziel wrote: >>> On 2020-04-23 3:55 p.m., David Sommerseth wrote: >>>> On 23/04/2020 19:55, Simon Deziel wrote: >>>>> On 2020-04-21 1:41 p.m., David Sommerseth wrote: >>>>>> On 21/04/2020 18:32, Simon Deziel wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I cannot validate the Windows exe files [1] and [2] using the key >>>>>>> advertised in [3]. >>>>>>> >>>>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win7.exe.asc >>>>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win7.exe' >>>>>>> gpg: Signature made Fri 17 Apr 2020 07:25:11 AM EDT >>>>>>> gpg: using RSA key >>>>>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 >>>>>>> gpg: Can't check signature: No public key >>>>>>> >>>>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win10.exe.asc >>>>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win10.exe' >>>>>>> gpg: Signature made Fri 17 Apr 2020 07:25:00 AM EDT >>>>>>> gpg: using RSA key >>>>>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 >>>>>>> gpg: Can't check signature: No public key >>>>>>> >>>>>>> >>>>>>> $ gpg --list-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>>>>> pub rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07] >>>>>>> Key fingerprint = F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B >>>>>>> 01E7 >>>>>>> uid [ unknown] OpenVPN - Security Mailing List >>>>>>> <secur...@openvpn.net> >>>>>>> >>>>>>> >>>>>>> Did I download the right files? >>>>>>> >>>>>>> $ sha256sum openvpn-install-2.4.9-I601-Win* >>>>>>> 4f95a674c3ffafd85062df995a182cfb57ca56d96084472a48a65c546c815f0c >>>>>>> openvpn-install-2.4.9-I601-Win10.exe >>>>>>> 340a6b917c5358a18e4ed283669e8d59073720184dba2d1f2965512c9cac18ad >>>>>>> openvpn-install-2.4.9-I601-Win10.exe.asc >>>>>>> 495754e6f3e40a056b947d496729f3ba78aaf0458d80ff08991c27bddf386139 >>>>>>> openvpn-install-2.4.9-I601-Win7.exe >>>>>>> b15e4b34756446589cc609d5d08fe5daba98c34463135b7abfab1538722c4c4e >>>>>>> openvpn-install-2.4.9-I601-Win7.exe.asc >>>>>> >>>>>> >>>>>> Try refreshing the PGP keys. We pushed out new keys in early March, but >>>>>> seems >>>>>> the web page was not updated. >>>>>> >>>>>> $ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>>>> >>>>>> This should do the proper key update and the verification should work >>>>>> just >>>>>> fine. We always publish the security public key to key servers whenever >>>>>> they >>>>>> are updated. >>>>> >>>>> I tried all the above and even did so in a fresh container. The subkey >>>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 simply not there: >>>>> >>>> >>>> This is really weird. From my own test: >>>> >>>> [user@host ~]$ gpg --list-keys | wc -l >>>> 0 >>>> [user@host ~]$ gpg --recv-key F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>> >>>> >>>> gpg: requesting key 2F2B01E7 from hkp server keys.gnupg.net >>> >>> Indeed, pulling from that key server picked the 'new' subkey. >>> >>>> gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List >>>> <secur...@openvpn.net>" imported >>>> gpg: no ultimately trusted keys found >>>> gpg: Total number processed: 1 >>>> gpg: imported: 1 (RSA: 1) >>>> [user@host ~]$ gpg --edit F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>> gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. >>>> This is free software: you are free to change and redistribute it. >>>> There is NO WARRANTY, to the extent permitted by law. >>>> >>>> >>>> pub 4096R/2F2B01E7 created: 2017-02-09 expires: 2027-02-07 usage: SC >>>> trust: unknown validity: unknown >>>> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - >>>> Security Mailing List <secur...@openvpn.net> >>>> sub 4096R/F6D9F8D7 created: 2017-02-09 revoked: 2019-02-04 usage: E >>>> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - >>>> Security Mailing List <secur...@openvpn.net> >>>> sub 4096R/8CC2B034 created: 2017-02-09 revoked: 2019-02-04 usage: S >>>> sub 4096R/AF131CAE created: 2018-03-07 expired: 2019-03-07 usage: S >>>> sub 4096R/907F94CF created: 2018-03-07 expired: 2019-03-07 usage: E >>>> sub 4096R/5ACFEAC6 created: 2019-02-04 expired: 2020-03-09 usage: S >>>> sub 4096R/3FEA78DB created: 2019-02-04 expired: 2020-03-09 usage: E >>>> sub 4096R/005D6BB4 created: 2020-02-21 expires: 2021-03-05 usage: S >>>> <<<<< The key which is used >>>> sub 4096R/5EABA192 created: 2020-02-21 expires: 2021-03-05 usage: E >>>> [ unknown] (1). OpenVPN - Security Mailing List <secur...@openvpn.net> >>>> >>>> >>>> Which key server do you try to fetch from? Might be we need to do >>>> some additional pushes to some servers. >>> >>> Stock default Ubuntu pulls from hkps://keys.openpgp.org which doesn't >>> have the new subkey. >> >> Alright, I just re-pushed to that server again explicitly. And now it seems >> it worked better. > > Thank you! I guess the only remaining thing to do would be to update the > key from the web site. >
My proposal to actually _remove_ the key from the website and to rely on the keyservers instead apparently got lost. Why do we even publish the key on our webserver? Afaics it is there because "it always used to be". Or is there some reason I cannot remember? We already document how to refresh the key, so all we'd need to add is how to get the key initially: <https://openvpn.net/community-resources/sig/> Samuli _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
