On Fri, Nov 17, 2017 at 2:47 PM, <[email protected]> wrote: > On Friday, September 29, 2017 at 6:31:15 PM UTC-7, Andrew David Wong wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Dear Qubes community, >> >> On 2017-09-12, we published Qubes Canary #13. The text of this canary is >> reproduced below. This canary and its accompanying signatures will always be >> available in the Qubes Security Pack (qubes-secpack). >> >> View Canary #13 in the qubes-secpack: >> >> <https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-013-2017.txt> >> >> Learn about the qubes-secpack, including how to obtain, verify, and read it: >> >> <https://www.qubes-os.org/security/pack/> >> >> View all past canaries: >> >> <https://www.qubes-os.org/security/canaries/> >> >> ``` >> ---===[ Qubes Canary #13 ]===--- >> >> >> Statements >> - ----------- >> >> The Qubes core developers who have digitally signed this file [1] >> state the following: >> >> 1. The date of issue of this canary is September 12, 2017. >> >> 2. There have been 33 Qubes Security Bulletins published so far. >> >> 3. The Qubes Master Signing Key fingerprint is: >> >> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 >> >> 4. No warrants have ever been served to us with regard to the Qubes OS >> Project (e.g. to hand out the private signing keys or to introduce >> backdoors). >> >> 5. We plan to publish the next of these canary statements in the first >> two weeks of December 2017. Special note should be taken if no new canary >> is published by that time or if the list of statements changes without >> plausible explanation. >> >> Special announcements >> - ---------------------- >> >> None. >> >> Disclaimers and notes >> - ---------------------- >> >> We would like to remind you that Qubes OS has been designed under the >> assumption that all relevant infrastructure is permanently >> compromised. This means that we assume NO trust in any of the servers >> or services which host or provide any Qubes-related data, in >> particular, software updates, source code repositories, and Qubes ISO >> downloads. >> >> This canary scheme is not infallible. Although signing the declaration >> makes it very difficult for a third party to produce arbitrary >> declarations, it does not prevent them from using force or other >> means, like blackmail or compromising the signers' laptops, to coerce >> us to produce false declarations. >> >> The news feeds quoted below (Proof of freshness) serves to demonstrate >> that this canary could not have been created prior to the date stated. >> It shows that a series of canaries was not created in advance. >> >> This declaration is merely a best effort and is provided without any >> guarantee or warranty. It is not legally binding in any way to >> anybody. None of the signers should be ever held legally responsible >> for any of the statements made here. >> >> Proof of freshness >> - ------------------- >> >> $ date -R -u >> Mon, 11 Sep 2017 17:54:05 +0000 >> >> $ feedstail -1 -n5 -f '{title}' -u >> https://www.spiegel.de/international/index.rss >> A Shrinking Giant: EU Worries Grow over U.S. Economic Chaos >> Iranian Vice President Salehi on Nuclear Deal: 'Our Partners Have More To >> Lose Than We Do' >> Is Moscow Planning Something?: Germany Prepares for Possible Russian >> Election Meddling >> Where Dreams Come to Die: Migrant Path in Europe Ends at Brenner Pass >> Stemming the Flow: Why Europe's Migrant Strategy Is an Illusion >> >> $ feedstail -1 -n5 -f '{title}' -u >> http://rss.nytimes.com/services/xml/rss/nyt/World.xml >> Desperation Mounts in Caribbean Islands: ‘All the Food Is Gone’ >> Mexico Mourns After Quake: ‘We Have No Idea How We Are Going to Rebuild’ >> Rohingya Crisis in Myanmar Is ‘Ethnic Cleansing,’ U.N. Rights Chief Says >> Need to Catch Up on the German Election? Here’s a Guide >> U.S. Weakens Resolution on North Korea to Gain Chinese and Russian Support >> >> $ feedstail -1 -n5 -f '{title}' -u http://feeds.bbci.co.uk/news/world/rss.xml >> Hurricane Irma: Florida launches huge relief operation >> Rohingya crisis: UN sees 'ethnic cleansing' in Myanmar >> Catalan independence rally: Thousands gather in Barcelona >> Trump on 9/11 anniversary: "Our nation will endure" >> Venezuela accuses UN of lying over alleged rights abuses >> >> $ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews >> U.N. Security Council to vote Monday on weakened North Korea sanctions: >> diplomats >> Afghanistan will never again be militant sanctuary: U.S. ambassador >> U.N. rights boss sees possible "crimes against humanity" in Venezuela >> Russia, Jordan agree to speed de-escalation zone in south Syria >> U.N. brands Myanmar violence a 'textbook' example of ethnic cleansing >> >> $ curl -s 'http://blockchain.info/blocks/?format=json' >> >> $ python3 -c 'import sys, json; >> print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])' >> 00000000000000000052fe6212dab65bf03f15711c74c835fd6d42802f8cae51 >> >> Footnotes >> - ---------- >> >> [1] This file should be signed in two ways: (1) via detached PGP >> signatures by each of the signers, distributed together with this >> canary in the qubes-secpack.git repo, and (2) via digital signatures >> on the corresponding qubes-secpack.git repo tags. [2] >> >> [2] Don't just trust the contents of this file blindly! Verify the >> digital signatures! >> ``` >> >> - -- >> Andrew David Wong (Axon) >> Community Manager, Qubes OS >> https://www.qubes-os.org >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJZzvPUAAoJENtN07w5UDAwLDoQAIKnlk4bcsLn5G3iXk36kzIO >> YQxTuuZAd5NRCqz2xyNKkPpTA5KZeB8b9XOSp4kVeOBfamTr7DXmMRLbF/sIDCCz >> GeBS7ZBCyCnjxbPhVGPCw8Y/hnYp+yeM+nf4Zjxe5xiunpuFl4cGITdU+Ft9nyA+ >> 14LXYrcMo0B3lg2MUkbH4u1hHfH1QwUwXde8wbVSirqXR8nm95wUYZzubnaJKrIu >> Q86oh6z8cQbocLhMotvG+pRnWJ0TTzJC02H8oH4E6VekYDuOjAmFlREEXFLYKOim >> dJb3EoxWee+dBrs8TuDW7TRwp8pdsaVoOgZ6j7kUR04iSvu44a2UxVQSHc1PKnuQ >> pVgOIp91TpD92hIjm9zurdQPIok4oM51PqAdbOhiRx5msQd5Vi7+EhlaJ8x8/15J >> A9r6WPTRUYRL+JlknRyBTb//mlsmXOiqJWY00Fax0skvZax8DfoecQW5KN3uLj8r >> VMh42ocI0ezXMor9SWZnrQHYZpBOWF5F4CW+7FUSuGJ8SgO+at8q1Dh+rvu1kDnX >> 8r/uDyV1+KARHGzlq7/zrl+zTgSeBjfGQOEPShiLMUolm/xL+UupG/B2RIXx9NbJ >> 2wJFjoVl3HCbGeyqXNV2eQdhKz4ZnN6KNDVK2QLLTO7eFR8fu71K2m+T2UDV4Wum >> uYCK6e3wqpBryGRKMv9F >> =bag3 >> -----END PGP SIGNATURE----- > > I have a couple questions regarding the secpack. First, when I try to verify > the git tags, I get the following error: > $ cd qubes-secpack > $ git tag -v 'git describe' > error: tag 'git describe' not found.
It appears you are using single quotes ( ' ) instead of backticks ( ` ). > Have I done something wrong here? Next, I did a git tag -l to get a list of > tags to try to verify individually. Here is what followed: > > $ git tag -v adw_5e2cf51c > object 5e2cf51ce18b1017de9fd73ce235b366271c98ec > type commit > tag adw_5e2cf51c > tagger Andrew David Wong <adw@[deleted for privacy]> 1491306927 -0700 > > Tag for commit 5e2cf51ce18b1017de9fd73ce235b366271c98ec > gpg: Signature made Tue 04 Apr 2017 04:55:27 AM PDT using RSA key ID 39503030 > gpg: Good signature from "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adwong@[deleted for privacy]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: BBAF 910D 1BC9 DDF4 1043 629F BC21 1FCE E9C5 4C53 > Subkey fingerprint: 650E EB09 85F4 8F78 5E9C 61F5 DB4D D3BC 3950 3030 > > The signature is good, but the key is not certified with a trusted signature. > Can you please explain this? The only signature that I have elevated trust on > is the Qubes Master Signing Key. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CvYm3GJTZNxQ2RUgYcOsgJ8DMKM9-W_FJudzDJ2Qxvcg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
