Re: [Openvpn-devel] Problem with sig for 2.3.16?

[Jonathan K. Bullard]

On Fri, May 19, 2017 at 6:41 PM, David Sommerseth
 wrote:
> On 19/05/17 21:23, Jonathan K. Bullard wrote:
[snip]
> > OK, I get that, but the key file from the link David provided (and
> > which was also in his reply to the email announcing 2.3.16):
> >
> >  
> >
> > is not identical to the "Security mailing list GPG key" I just
> > downloaded from the "sig" page.
> >
> > Is that a problem?
>
> What is the difference you see?  To mem both looks identical when
> importing them into GPG.  But I haven't dug too deep into the details.

The contents of the files were different, which bothered me. I now
understand that that is OK -- I apologize for being too paranoid :)

They import identically for me, so all is well.


> One detail though, the "real" key ID is always the finger print.  Then
> there is two types of key IDs, one short and one long.  But those are
> just from the last bytes from the fingerprint.
>
> Key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
> Key ID - long:  12F5 F7B4 2F2B 01E7
> Key ID - short:   2F2B 01E7

Ah. Thanks for the explanation. That makes sense! :)


> When I import both keys into the different brand new GPG key rings, I do
> get the same result when listing these keys.  But I haven't dug too deep
> into the context.  Plus the pgp.mit.edu site might have done some
> non-critical, minor changes in how the key looks like - compared to
> Samuli's version.

Yes, that's apparently what happened.


> That said, this security key is based upon the recommended sub-key
> approach [0].  That means that those of us among the developers can only
> use that key for signing and decryption data and with a fairly short
> lifetime (1 year).  They are not capable to sign other keys, updating
> the lifetime of the keys or any operation requiring the master key.  So
> I highly doubt Samuli have done anything special with that key.  Only I
> have the master key, which is well stored on a protected medium which is
> offline the very most of the time.
>
>
> [0] 

Thank you for your clear explanations, David -- and your patience!

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[David Sommerseth]

On 19/05/17 21:23, Jonathan K. Bullard wrote:
[...snip...]
>> Right now the signature situation is a bit confusing, as 2.4.2 is still
>> signed with my new key, and 2.3.16 is using the secur...@openvpn.net
>> key. That is all documented here, though:
>>
>> 
> 
> OK, I get that, but the key file from the link David provided (and
> which was also in his reply to the email announcing 2.3.16):
> 
>  
> 
> is not identical to the "Security mailing list GPG key" I just
> downloaded from the "sig" page.
> 
> Is that a problem?

What is the difference you see?  To mem both looks identical when
importing them into GPG.  But I haven't dug too deep into the details.

One detail though, the "real" key ID is always the finger print.  Then
there is two types of key IDs, one short and one long.  But those are
just from the last bytes from the fingerprint.

Key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
Key ID - long:  12F5 F7B4 2F2B 01E7
Key ID - short:   2F2B 01E7


When I import both keys into the different brand new GPG key rings, I do
get the same result when listing these keys.  But I haven't dug too deep
into the context.  Plus the pgp.mit.edu site might have done some
non-critical, minor changes in how the key looks like - compared to
Samuli's version.

That said, this security key is based upon the recommended sub-key
approach [0].  That means that those of us among the developers can only
use that key for signing and decryption data and with a fairly short
lifetime (1 year).  They are not capable to sign other keys, updating
the lifetime of the keys or any operation requiring the master key.  So
I highly doubt Samuli have done anything special with that key.  Only I
have the master key, which is well stored on a protected medium which is
offline the very most of the time.


[0] 


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[Jonathan K. Bullard]

On Fri, May 19, 2017 at 1:44 PM, Samuli Seppänen  wrote:
> On 19/05/2017 17:50, David Sommerseth wrote:
>> On 19/05/17 16:28, Jonathan K. Bullard wrote:
>>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using
>>> openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the
>>> following:
>>>
>>>  gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz'
>>>  gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 
>>> 8CC2B034
>>>  gpg: Can't check signature: public key not found
>>>
>>> The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on
>>> openvpn-2.4.2.tar.gz both verify fine.
>>>
>>> I think this is because Samuli's new key's ID is not 8CC2B034, it is
>>> 40864578 (if I understand correctly what is meant by "ID".)
>>
>> Samuli have an old key (0x198D22A3, RSA-1024) and a new key (0x40864578,
>> RSA-2048).  He have switched to the new key and prefers to use that one.
>>
>> We decided just a few days ago that we will switch to use the
>> secur...@openvpn.net key for signing the officially released tarballs.
>>
>>
>>> Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public
>>> Key" page [2]?
>> The proper key is:
>> pub   4096R/0x12F5F7B42F2B01E7 2017-02-09 [expires: 2027-02-07]
>> Key fingerprint = F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>> uid   OpenVPN - Security Mailing List 
>>
>> Which can also be found here:
>> 
>>
>>
>>> The link on that page to that key is broken (and includes
>>> Javascript!).
>>
>> Yes!  I discovered the same issue and reported it internally a couple of
>> hours ago.  I expect it to be fixed in not too long.
>>
>
> Hi,
>
> Joomla did not seem to like the fact that file name was
> secur...@openvpn.net.key.asc. So I renamed it as security.key.asc. That
> seems to work fine.

Thanks!

> Right now the signature situation is a bit confusing, as 2.4.2 is still
> signed with my new key, and 2.3.16 is using the secur...@openvpn.net
> key. That is all documented here, though:
>
> 

OK, I get that, but the key file from the link David provided (and
which was also in his reply to the email announcing 2.3.16):

 

is not identical to the "Security mailing list GPG key" I just
downloaded from the "sig" page.

Is that a problem?

(Sorry if this is something that's common knowledge.)

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Problem with sig for 2.3.16?

[Samuli Seppänen]

On 19/05/2017 17:50, David Sommerseth wrote:
> On 19/05/17 16:28, Jonathan K. Bullard wrote:
>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using
>> openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the
>> following:
>>
>>  gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz'
>>  gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 
>> 8CC2B034
>>  gpg: Can't check signature: public key not found
>>
>> The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on
>> openvpn-2.4.2.tar.gz both verify fine.
>>
>> I think this is because Samuli's new key's ID is not 8CC2B034, it is
>> 40864578 (if I understand correctly what is meant by "ID".)
> 
> Samuli have an old key (0x198D22A3, RSA-1024) and a new key (0x40864578,
> RSA-2048).  He have switched to the new key and prefers to use that one.
> 
> We decided just a few days ago that we will switch to use the
> secur...@openvpn.net key for signing the officially released tarballs.
> 
> 
>> Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public
>> Key" page [2]? 
> The proper key is:
> pub   4096R/0x12F5F7B42F2B01E7 2017-02-09 [expires: 2027-02-07]
> Key fingerprint = F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
> uid   OpenVPN - Security Mailing List 
> 
> Which can also be found here:
> 
> 
> 
>> The link on that page to that key is broken (and includes
>> Javascript!).
> 
> Yes!  I discovered the same issue and reported it internally a couple of
> hours ago.  I expect it to be fixed in not too long.
> 

Hi,

Joomla did not seem to like the fact that file name was
secur...@openvpn.net.key.asc. So I renamed it as security.key.asc. That
seems to work fine.

Right now the signature situation is a bit confusing, as 2.4.2 is still
signed with my new key, and 2.3.16 is using the secur...@openvpn.net
key. That is all documented here, though:



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel