Re: pgp-keys jsp taglibs
2016-04-20 10:23 GMT+03:00 Martijn Bos: > Hi Konstantin, > > On 2016-04-20 01:25:25, Konstantin Kolinko wrote: >> 2016-04-19 23:00 GMT+03:00 Martijn Bos : >> > Hi all, >> > >> > (I post in this list since I downloaded from tomcat.apache.org. If there >> > is a more appropriate list, off course I will try overthere) >> > >> > 1 - Downloaded the taglibs from >> > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 >> >> The "verify" word on above page links to a detailed instruction, >> https://www.apache.org/info/verification.html >> >> > 2 - Downloaded the PGP signatures for the files >> > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the >> > files) >> > 3 - Imported the keys into gpg: >> > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS >> > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes >> > " geïmporteerd >> > gpg: Totaal aantal verwerkt: 1 >> > gpg: geïmporteerd: 1 (RSA: 1) >> > martijn@radijs:~/external_documents/Downloads$ >> > >> > 4 - checked the signature of the downloaded files: >> > martijn@radijs:~/external_documents/Downloads$ gpg >> > taglibs-standard-impl-1.2.5.jar.asc >> >> The above verification command is wrong. You must specify 2 file >> arguments to gpg --verify. See the verification.html page that I >> mentioned above. >> > > Thank you. I didn't read the page in the first place, because I thought I > know it all :-( > (Once again I'm proven wrong) > > However (call me stuborn), as far as I understand, in this case my way is not > wrong per se. > The verify is with a detached signature. gpg can deduct (and find) the name > of the file, which was signed, from the name of the detached signature. > > Below I copy/pasted the same verification with 1 and with 2 arguments. To me > the results looks the same > > (If the signature and the file name do not match, then my approach will not > work at all, ofcourse) > >> > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld >> > ondertekend te zijn >> > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA >> > sleutel-ID A7A0233C >> > gpg: Goede handtekening van "Jeremy Boynes " >> > gpg: Noot: Deze sleutel is vervallen! >> > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A >> > D08E A7A0 233C >> > >> > It's in dutch :-) >> >> Executing the below command before the above one should switch it to English. >> LANG=C >> >> Maybe it also needs export LANG, I do not remember. >> > > The moment I read your comment I thought:"Could've done that myself" > > So ... now in enlish, so everyone can read it: > > > martijn@radijs:~/external_documents/Downloads$ export LANG=C > martijn@radijs:~/external_documents/Downloads$ gpg --verify > taglibs-standard-compat-1.2.5.jar.asc > gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar' > gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C > gpg: Good signature from "Jeremy Boynes " > gpg: Note: This key has expired! > Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C > martijn@radijs:~/external_documents/Downloads$ > > > And with the signed file as a second argument: > > martijn@radijs:~/external_documents/Downloads$ gpg --verify > taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar > gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C > gpg: Good signature from "Jeremy Boynes " > gpg: Note: This key has expired! > Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C > martijn@radijs:~/external_documents/Downloads$ There was a blog post, explaining the difference. See a link here: https://bz.apache.org/bugzilla/show_bug.cgi?id=57103#c6 The issue is that you goal is to verify integrity of the "jar" file. The 1-arg invocation validates integrity of "asc" file. Whether that result says anything about the jar depends on what the asc file is. You may be fooled into a false positive. The difference between two invocations is the following line: > gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar' It is good that it is printed, but it is easy to miss the case when that line is missing. >> > The message is telling me that the file is signed by key A7A0233C >> > (I never did sign this key myself..there is no trust..so gpg also tells me >> > that) >> > Then gpg tells me "This key is expired"!!! >> > >> > I'm not sure what to think of this...Is this a problem, or am I just to >> > paranoid? >> > >> > Can anyone shine his/her light on this. >> >> >> $ gpg --list-keys A7A0233C >> >> pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25] >> uid Jeremy Boynes >> >> >> 1. Binaries released and signed before February 2016 are OK. >> > > Thanks, ultimately, that is what I wanted
Re: pgp-keys jsp taglibs
Hi Konstantin, On 2016-04-20 01:25:25, Konstantin Kolinko wrote: > 2016-04-19 23:00 GMT+03:00 Martijn Bos: > > Hi all, > > > > (I post in this list since I downloaded from tomcat.apache.org. If there is > > a more appropriate list, off course I will try overthere) > > > > 1 - Downloaded the taglibs from > > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 > > The "verify" word on above page links to a detailed instruction, > https://www.apache.org/info/verification.html > > > 2 - Downloaded the PGP signatures for the files > > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the > > files) > > 3 - Imported the keys into gpg: > > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS > > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes > > " geïmporteerd > > gpg: Totaal aantal verwerkt: 1 > > gpg: geïmporteerd: 1 (RSA: 1) > > martijn@radijs:~/external_documents/Downloads$ > > > > 4 - checked the signature of the downloaded files: > > martijn@radijs:~/external_documents/Downloads$ gpg > > taglibs-standard-impl-1.2.5.jar.asc > > The above verification command is wrong. You must specify 2 file > arguments to gpg --verify. See the verification.html page that I > mentioned above. > Thank you. I didn't read the page in the first place, because I thought I know it all :-( (Once again I'm proven wrong) However (call me stuborn), as far as I understand, in this case my way is not wrong per se. The verify is with a detached signature. gpg can deduct (and find) the name of the file, which was signed, from the name of the detached signature. Below I copy/pasted the same verification with 1 and with 2 arguments. To me the results looks the same (If the signature and the file name do not match, then my approach will not work at all, ofcourse) > > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld > > ondertekend te zijn > > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA > > sleutel-ID A7A0233C > > gpg: Goede handtekening van "Jeremy Boynes " > > gpg: Noot: Deze sleutel is vervallen! > > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A > > D08E A7A0 233C > > > > It's in dutch :-) > > Executing the below command before the above one should switch it to English. > LANG=C > > Maybe it also needs export LANG, I do not remember. > The moment I read your comment I thought:"Could've done that myself" So ... now in enlish, so everyone can read it: martijn@radijs:~/external_documents/Downloads$ export LANG=C martijn@radijs:~/external_documents/Downloads$ gpg --verify taglibs-standard-compat-1.2.5.jar.asc gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar' gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C gpg: Good signature from "Jeremy Boynes " gpg: Note: This key has expired! Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C martijn@radijs:~/external_documents/Downloads$ And with the signed file as a second argument: martijn@radijs:~/external_documents/Downloads$ gpg --verify taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C gpg: Good signature from "Jeremy Boynes " gpg: Note: This key has expired! Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C martijn@radijs:~/external_documents/Downloads$ > > The message is telling me that the file is signed by key A7A0233C > > (I never did sign this key myself..there is no trust..so gpg also tells me > > that) > > Then gpg tells me "This key is expired"!!! > > > > I'm not sure what to think of this...Is this a problem, or am I just to > > paranoid? > > > > Can anyone shine his/her light on this. > > > $ gpg --list-keys A7A0233C > > pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25] > uid Jeremy Boynes > > > 1. Binaries released and signed before February 2016 are OK. >
Re: pgp-keys jsp taglibs
2016-04-19 23:00 GMT+03:00 Martijn Bos: > Hi all, > > (I post in this list since I downloaded from tomcat.apache.org. If there is a > more appropriate list, off course I will try overthere) > > 1 - Downloaded the taglibs from > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 The "verify" word on above page links to a detailed instruction, https://www.apache.org/info/verification.html > 2 - Downloaded the PGP signatures for the files > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the files) > 3 - Imported the keys into gpg: > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes " > geïmporteerd > gpg: Totaal aantal verwerkt: 1 > gpg: geïmporteerd: 1 (RSA: 1) > martijn@radijs:~/external_documents/Downloads$ > > 4 - checked the signature of the downloaded files: > martijn@radijs:~/external_documents/Downloads$ gpg > taglibs-standard-impl-1.2.5.jar.asc The above verification command is wrong. You must specify 2 file arguments to gpg --verify. See the verification.html page that I mentioned above. > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld > ondertekend te zijn > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA sleutel-ID > A7A0233C > gpg: Goede handtekening van "Jeremy Boynes " > gpg: Noot: Deze sleutel is vervallen! > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A > D08E A7A0 233C > > It's in dutch :-) Executing the below command before the above one should switch it to English. LANG=C Maybe it also needs export LANG, I do not remember. > The message is telling me that the file is signed by key A7A0233C > (I never did sign this key myself..there is no trust..so gpg also tells me > that) > Then gpg tells me "This key is expired"!!! > > I'm not sure what to think of this...Is this a problem, or am I just to > paranoid? > > Can anyone shine his/her light on this. $ gpg --list-keys A7A0233C pub 2048R/A7A0233C 2012-02-25 [expired: 2016-02-25] uid Jeremy Boynes 1. Binaries released and signed before February 2016 are OK. 2. Jeremy needs to do something with his key before signing a next release (if there ever be one). As said elsewhere, it is possible to change expiration date of a key without a need to generate a new one, http://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg http://superuser.com/questions/813421/can-you-extend-the-expiration-date-of-an-already-expired-gpg-key https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
pgp-keys jsp taglibs
Hi all, (I post in this list since I downloaded from tomcat.apache.org. If there is a more appropriate list, off course I will try overthere) 1 - Downloaded the taglibs from http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5 2 - Downloaded the PGP signatures for the files 2 - Downloaded KEYS. (The pgp public keys from the releaser(s) of the files) 3 - Imported the keys into gpg: martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes" geïmporteerd gpg: Totaal aantal verwerkt: 1 gpg: geïmporteerd: 1 (RSA: 1) martijn@radijs:~/external_documents/Downloads$ 4 - checked the signature of the downloaded files: martijn@radijs:~/external_documents/Downloads$ gpg taglibs-standard-impl-1.2.5.jar.asc gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld ondertekend te zijn gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA sleutel-ID A7A0233C gpg: Goede handtekening van "Jeremy Boynes " gpg: Noot: Deze sleutel is vervallen! Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2 92DA A54A D08E A7A0 233C It's in dutch :-) The message is telling me that the file is signed by key A7A0233C (I never did sign this key myself..there is no trust..so gpg also tells me that) Then gpg tells me "This key is expired"!!! I'm not sure what to think of this...Is this a problem, or am I just to paranoid? Can anyone shine his/her light on this. -- Met vriendelijke groet, Martijn Bos (Public pgp-key : http://maboc.nl/pubkey.maboc.asc) signature.asc Description: Digital signature