On Fri, Nov 17, 2017 at 11:47:06AM -0800, [email protected] wrote: > On Friday, September 29, 2017 at 6:31:15 PM UTC-7, Andrew David Wong wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Dear Qubes community, > > > > On 2017-09-12, we published Qubes Canary #13. The text of this canary is > > reproduced below. This canary and its accompanying signatures will always be > > available in the Qubes Security Pack (qubes-secpack). > > > > View Canary #13 in the qubes-secpack: > > > > <https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-013-2017.txt> > > > > Learn about the qubes-secpack, including how to obtain, verify, and read it: > > > > <https://www.qubes-os.org/security/pack/> > > > > View all past canaries: > > > > <https://www.qubes-os.org/security/canaries/> > > > > ``` > > ---===[ Qubes Canary #13 ]===--- > > > > > > Statements > > - ----------- > > > > The Qubes core developers who have digitally signed this file [1] > > state the following: > > > > 1. The date of issue of this canary is September 12, 2017. > > > > 2. There have been 33 Qubes Security Bulletins published so far. > > > > 3. The Qubes Master Signing Key fingerprint is: > > > > 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 > > > > 4. No warrants have ever been served to us with regard to the Qubes OS > > Project (e.g. to hand out the private signing keys or to introduce > > backdoors). > > > > 5. We plan to publish the next of these canary statements in the first > > two weeks of December 2017. Special note should be taken if no new canary > > is published by that time or if the list of statements changes without > > plausible explanation. > > > > Special announcements > > - ---------------------- > > > > None. > > > > Disclaimers and notes > > - ---------------------- > > > > We would like to remind you that Qubes OS has been designed under the > > assumption that all relevant infrastructure is permanently > > compromised. This means that we assume NO trust in any of the servers > > or services which host or provide any Qubes-related data, in > > particular, software updates, source code repositories, and Qubes ISO > > downloads. > > > > This canary scheme is not infallible. Although signing the declaration > > makes it very difficult for a third party to produce arbitrary > > declarations, it does not prevent them from using force or other > > means, like blackmail or compromising the signers' laptops, to coerce > > us to produce false declarations. > > > > The news feeds quoted below (Proof of freshness) serves to demonstrate > > that this canary could not have been created prior to the date stated. > > It shows that a series of canaries was not created in advance. > > > > This declaration is merely a best effort and is provided without any > > guarantee or warranty. It is not legally binding in any way to > > anybody. None of the signers should be ever held legally responsible > > for any of the statements made here. > > > > Proof of freshness > > - ------------------- > > > > $ date -R -u > > Mon, 11 Sep 2017 17:54:05 +0000 > > > > $ feedstail -1 -n5 -f '{title}' -u > > https://www.spiegel.de/international/index.rss > > A Shrinking Giant: EU Worries Grow over U.S. Economic Chaos > > Iranian Vice President Salehi on Nuclear Deal: 'Our Partners Have More To > > Lose Than We Do' > > Is Moscow Planning Something?: Germany Prepares for Possible Russian > > Election Meddling > > Where Dreams Come to Die: Migrant Path in Europe Ends at Brenner Pass > > Stemming the Flow: Why Europe's Migrant Strategy Is an Illusion > > > > $ feedstail -1 -n5 -f '{title}' -u > > http://rss.nytimes.com/services/xml/rss/nyt/World.xml > > Desperation Mounts in Caribbean Islands: ‘All the Food Is Gone’ > > Mexico Mourns After Quake: ‘We Have No Idea How We Are Going to Rebuild’ > > Rohingya Crisis in Myanmar Is ‘Ethnic Cleansing,’ U.N. Rights Chief Says > > Need to Catch Up on the German Election? Here’s a Guide > > U.S. Weakens Resolution on North Korea to Gain Chinese and Russian Support > > > > $ feedstail -1 -n5 -f '{title}' -u > > http://feeds.bbci.co.uk/news/world/rss.xml > > Hurricane Irma: Florida launches huge relief operation > > Rohingya crisis: UN sees 'ethnic cleansing' in Myanmar > > Catalan independence rally: Thousands gather in Barcelona > > Trump on 9/11 anniversary: "Our nation will endure" > > Venezuela accuses UN of lying over alleged rights abuses > > > > $ feedstail -1 -n5 -f '{title}' -u > > http://feeds.reuters.com/reuters/worldnews > > U.N. Security Council to vote Monday on weakened North Korea sanctions: > > diplomats > > Afghanistan will never again be militant sanctuary: U.S. ambassador > > U.N. rights boss sees possible "crimes against humanity" in Venezuela > > Russia, Jordan agree to speed de-escalation zone in south Syria > > U.N. brands Myanmar violence a 'textbook' example of ethnic cleansing > > > > $ curl -s 'http://blockchain.info/blocks/?format=json' > > > > $ python3 -c 'import sys, json; > > print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])' > > 00000000000000000052fe6212dab65bf03f15711c74c835fd6d42802f8cae51 > > > > Footnotes > > - ---------- > > > > [1] This file should be signed in two ways: (1) via detached PGP > > signatures by each of the signers, distributed together with this > > canary in the qubes-secpack.git repo, and (2) via digital signatures > > on the corresponding qubes-secpack.git repo tags. [2] > > > > [2] Don't just trust the contents of this file blindly! Verify the > > digital signatures! > > ``` > > > > - -- > > Andrew David Wong (Axon) > > Community Manager, Qubes OS > > https://www.qubes-os.org > > -----BEGIN PGP SIGNATURE----- > > > > iQIcBAEBCgAGBQJZzvPUAAoJENtN07w5UDAwLDoQAIKnlk4bcsLn5G3iXk36kzIO > > YQxTuuZAd5NRCqz2xyNKkPpTA5KZeB8b9XOSp4kVeOBfamTr7DXmMRLbF/sIDCCz > > GeBS7ZBCyCnjxbPhVGPCw8Y/hnYp+yeM+nf4Zjxe5xiunpuFl4cGITdU+Ft9nyA+ > > 14LXYrcMo0B3lg2MUkbH4u1hHfH1QwUwXde8wbVSirqXR8nm95wUYZzubnaJKrIu > > Q86oh6z8cQbocLhMotvG+pRnWJ0TTzJC02H8oH4E6VekYDuOjAmFlREEXFLYKOim > > dJb3EoxWee+dBrs8TuDW7TRwp8pdsaVoOgZ6j7kUR04iSvu44a2UxVQSHc1PKnuQ > > pVgOIp91TpD92hIjm9zurdQPIok4oM51PqAdbOhiRx5msQd5Vi7+EhlaJ8x8/15J > > A9r6WPTRUYRL+JlknRyBTb//mlsmXOiqJWY00Fax0skvZax8DfoecQW5KN3uLj8r > > VMh42ocI0ezXMor9SWZnrQHYZpBOWF5F4CW+7FUSuGJ8SgO+at8q1Dh+rvu1kDnX > > 8r/uDyV1+KARHGzlq7/zrl+zTgSeBjfGQOEPShiLMUolm/xL+UupG/B2RIXx9NbJ > > 2wJFjoVl3HCbGeyqXNV2eQdhKz4ZnN6KNDVK2QLLTO7eFR8fu71K2m+T2UDV4Wum > > uYCK6e3wqpBryGRKMv9F > > =bag3 > > -----END PGP SIGNATURE----- > > I have a couple questions regarding the secpack. First, when I try to verify > the git tags, I get the following error: > $ cd qubes-secpack > $ git tag -v 'git describe' > error: tag 'git describe' not found. > > Have I done something wrong here? Next, I did a git tag -l to get a list of > tags to try to verify individually. Here is what followed: > > $ git tag -v adw_5e2cf51c > object 5e2cf51ce18b1017de9fd73ce235b366271c98ec > type commit > tag adw_5e2cf51c > tagger Andrew David Wong <adw@[deleted for privacy]> 1491306927 -0700 > > Tag for commit 5e2cf51ce18b1017de9fd73ce235b366271c98ec > gpg: Signature made Tue 04 Apr 2017 04:55:27 AM PDT using RSA key ID 39503030 > gpg: Good signature from "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adw@[deleted for privacy]>" > gpg: aka "Andrew David Wong <adwong@[deleted for privacy]>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: BBAF 910D 1BC9 DDF4 1043 629F BC21 1FCE E9C5 4C53 > Subkey fingerprint: 650E EB09 85F4 8F78 5E9C 61F5 DB4D D3BC 3950 3030 > > The signature is good, but the key is not certified with a trusted signature. > Can you please explain this? The only signature that I have elevated trust on > is the Qubes Master Signing Key. >
The warning is evident: Andrew's key is not signed. Questions about this have been asked before, and the reason is probably that most of the Qubes team are using split-gpg (www.qubes-os.org/doc/split-gpg) with subkeys. If you review that page then you will see that one of the downsides of using subkeys is that it's not possible to sign other people's keys. This doesnt mean that you cant trust Andrew's key - there are many things you can do to check that it is the right key and belongs to him. What you cant do is hand off that process of establishing trust to some one else (and that is what the web of trust does). Hope that's somewhat clear unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171118013905.oqfcrq2pidr4fz66%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
