I just fetched Savannah's x.509 certificates from <http://savannah.gnu.org/tls/> and verified the signed PGP message containing the fingerprints. I first noticed that that there's a fingerprint for `cvs.*gnu.org', without any link to a certificate above. Then I checked the fingerprints on all the certificates, and found that while the certificate authority matched the fingerprint listed in the signed PGP message, the other two didn't. Here are the fingerprints that the signed PGP message claims:
savannah.gnu.org: * SHA1 Fingerprint=59:62:0B:EF:A2:AA:FE:C1:6B:39:CB:A5:90:65:42:F5:81:A2:AE:A9 * MD5 Fingerprint=93:9C:BC:3C:2D:7C:42:D4:B1:15:B1:B6:B6:ED:EC:A0 savannah.nongnu.org: * SHA1 Fingerprint=B9:8A:FE:4B:B8:B5:27:BF:44:71:7A:28:23:19:38:3A:34:E6:83:E0 * MD5 Fingerprint=07:EA:E7:86:B0:0F:F0:0F:7F:AC:82:2C:2E:F2:1B:C3 Here are the actual fingerprints that I obtained with `openssl x509 -fingerprint -noout -in ...', with and without the `-sha1' option to alter between MD5 and SHA1: savannah.gnu.org: * SHA1 Fingerprint=5C:09:4A:82:12:06:20:89:CF:5F:F2:FC:AE:6A:2C:54:7B:8E:EA:5E * MD5 Fingerprint=E2:4A:D7:0D:5F:53:A2:54:3A:CA:8B:01:DD:60:91:A4 savannah.nongnu.org: * SHA1 Fingerprint=CA:06:57:BF:5B:35:94:0E:98:1B:28:81:83:47:BB:07:F4:EC:7B:D1 * MD5 Fingerprint=52:34:FD:6B:42:19:0A:E3:AD:8D:85:37:FF:ED:1B:72 I'm not wizardly enough with OpenSSL to make it verify whether a certificate was, in fact, signed by an issuer, to check the validity of the savannah.gnu.org and savannah.nongnu.org certificates against Savannah's certificate authority. I don't doubt that they were, but is there any reason why the fingerprints do not match? _______________________________________________ Savannah-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/savannah-users
