On Friday, September 29, 2017 at 6:31:15 PM UTC-7, Andrew David Wong wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dear Qubes community,
>
> On 2017-09-12, we published Qubes Canary #13. The text of this canary is
> reproduced below. This canary and its accompanying signatures will always be
> available in the Qubes Security Pack (qubes-secpack).
>
> View Canary #13 in the qubes-secpack:
>
> <https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-013-2017.txt>
>
> Learn about the qubes-secpack, including how to obtain, verify, and read it:
>
> <https://www.qubes-os.org/security/pack/>
>
> View all past canaries:
>
> <https://www.qubes-os.org/security/canaries/>
>
> ```
> ---===[ Qubes Canary #13 ]===---
>
>
> Statements
> - -----------
>
> The Qubes core developers who have digitally signed this file [1]
> state the following:
>
> 1. The date of issue of this canary is September 12, 2017.
>
> 2. There have been 33 Qubes Security Bulletins published so far.
>
> 3. The Qubes Master Signing Key fingerprint is:
>
> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
>
> 4. No warrants have ever been served to us with regard to the Qubes OS
> Project (e.g. to hand out the private signing keys or to introduce
> backdoors).
>
> 5. We plan to publish the next of these canary statements in the first
> two weeks of December 2017. Special note should be taken if no new canary
> is published by that time or if the list of statements changes without
> plausible explanation.
>
> Special announcements
> - ----------------------
>
> None.
>
> Disclaimers and notes
> - ----------------------
>
> We would like to remind you that Qubes OS has been designed under the
> assumption that all relevant infrastructure is permanently
> compromised. This means that we assume NO trust in any of the servers
> or services which host or provide any Qubes-related data, in
> particular, software updates, source code repositories, and Qubes ISO
> downloads.
>
> This canary scheme is not infallible. Although signing the declaration
> makes it very difficult for a third party to produce arbitrary
> declarations, it does not prevent them from using force or other
> means, like blackmail or compromising the signers' laptops, to coerce
> us to produce false declarations.
>
> The news feeds quoted below (Proof of freshness) serves to demonstrate
> that this canary could not have been created prior to the date stated.
> It shows that a series of canaries was not created in advance.
>
> This declaration is merely a best effort and is provided without any
> guarantee or warranty. It is not legally binding in any way to
> anybody. None of the signers should be ever held legally responsible
> for any of the statements made here.
>
> Proof of freshness
> - -------------------
>
> $ date -R -u
> Mon, 11 Sep 2017 17:54:05 +0000
>
> $ feedstail -1 -n5 -f '{title}' -u
> https://www.spiegel.de/international/index.rss
> A Shrinking Giant: EU Worries Grow over U.S. Economic Chaos
> Iranian Vice President Salehi on Nuclear Deal: 'Our Partners Have More To
> Lose Than We Do'
> Is Moscow Planning Something?: Germany Prepares for Possible Russian Election
> Meddling
> Where Dreams Come to Die: Migrant Path in Europe Ends at Brenner Pass
> Stemming the Flow: Why Europe's Migrant Strategy Is an Illusion
>
> $ feedstail -1 -n5 -f '{title}' -u
> http://rss.nytimes.com/services/xml/rss/nyt/World.xml
> Desperation Mounts in Caribbean Islands: ‘All the Food Is Gone’
> Mexico Mourns After Quake: ‘We Have No Idea How We Are Going to Rebuild’
> Rohingya Crisis in Myanmar Is ‘Ethnic Cleansing,’ U.N. Rights Chief Says
> Need to Catch Up on the German Election? Here’s a Guide
> U.S. Weakens Resolution on North Korea to Gain Chinese and Russian Support
>
> $ feedstail -1 -n5 -f '{title}' -u http://feeds.bbci.co.uk/news/world/rss.xml
> Hurricane Irma: Florida launches huge relief operation
> Rohingya crisis: UN sees 'ethnic cleansing' in Myanmar
> Catalan independence rally: Thousands gather in Barcelona
> Trump on 9/11 anniversary: "Our nation will endure"
> Venezuela accuses UN of lying over alleged rights abuses
>
> $ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
> U.N. Security Council to vote Monday on weakened North Korea sanctions:
> diplomats
> Afghanistan will never again be militant sanctuary: U.S. ambassador
> U.N. rights boss sees possible "crimes against humanity" in Venezuela
> Russia, Jordan agree to speed de-escalation zone in south Syria
> U.N. brands Myanmar violence a 'textbook' example of ethnic cleansing
>
> $ curl -s 'http://blockchain.info/blocks/?format=json'
>
> $ python3 -c 'import sys, json;
> print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
> 00000000000000000052fe6212dab65bf03f15711c74c835fd6d42802f8cae51
>
> Footnotes
> - ----------
>
> [1] This file should be signed in two ways: (1) via detached PGP
> signatures by each of the signers, distributed together with this
> canary in the qubes-secpack.git repo, and (2) via digital signatures
> on the corresponding qubes-secpack.git repo tags. [2]
>
> [2] Don't just trust the contents of this file blindly! Verify the
> digital signatures!
> ```
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJZzvPUAAoJENtN07w5UDAwLDoQAIKnlk4bcsLn5G3iXk36kzIO
> YQxTuuZAd5NRCqz2xyNKkPpTA5KZeB8b9XOSp4kVeOBfamTr7DXmMRLbF/sIDCCz
> GeBS7ZBCyCnjxbPhVGPCw8Y/hnYp+yeM+nf4Zjxe5xiunpuFl4cGITdU+Ft9nyA+
> 14LXYrcMo0B3lg2MUkbH4u1hHfH1QwUwXde8wbVSirqXR8nm95wUYZzubnaJKrIu
> Q86oh6z8cQbocLhMotvG+pRnWJ0TTzJC02H8oH4E6VekYDuOjAmFlREEXFLYKOim
> dJb3EoxWee+dBrs8TuDW7TRwp8pdsaVoOgZ6j7kUR04iSvu44a2UxVQSHc1PKnuQ
> pVgOIp91TpD92hIjm9zurdQPIok4oM51PqAdbOhiRx5msQd5Vi7+EhlaJ8x8/15J
> A9r6WPTRUYRL+JlknRyBTb//mlsmXOiqJWY00Fax0skvZax8DfoecQW5KN3uLj8r
> VMh42ocI0ezXMor9SWZnrQHYZpBOWF5F4CW+7FUSuGJ8SgO+at8q1Dh+rvu1kDnX
> 8r/uDyV1+KARHGzlq7/zrl+zTgSeBjfGQOEPShiLMUolm/xL+UupG/B2RIXx9NbJ
> 2wJFjoVl3HCbGeyqXNV2eQdhKz4ZnN6KNDVK2QLLTO7eFR8fu71K2m+T2UDV4Wum
> uYCK6e3wqpBryGRKMv9F
> =bag3
> -----END PGP SIGNATURE-----
I have a couple questions regarding the secpack. First, when I try to verify
the git tags, I get the following error:
$ cd qubes-secpack
$ git tag -v 'git describe'
error: tag 'git describe' not found.
Have I done something wrong here? Next, I did a git tag -l to get a list of
tags to try to verify individually. Here is what followed:
$ git tag -v adw_5e2cf51c
object 5e2cf51ce18b1017de9fd73ce235b366271c98ec
type commit
tag adw_5e2cf51c
tagger Andrew David Wong <adw@[deleted for privacy]> 1491306927 -0700
Tag for commit 5e2cf51ce18b1017de9fd73ce235b366271c98ec
gpg: Signature made Tue 04 Apr 2017 04:55:27 AM PDT using RSA key ID 39503030
gpg: Good signature from "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adwong@[deleted for privacy]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BBAF 910D 1BC9 DDF4 1043 629F BC21 1FCE E9C5 4C53
Subkey fingerprint: 650E EB09 85F4 8F78 5E9C 61F5 DB4D D3BC 3950 3030
The signature is good, but the key is not certified with a trusted signature.
Can you please explain this? The only signature that I have elevated trust on
is the Qubes Master Signing Key.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a8807ba5-455e-485c-92dc-222f7aa96ab2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
