subject:"pgp\-keys jsp taglibs"

Re: pgp-keys jsp taglibs

2016-04-20 Thread Konstantin Kolinko

2016-04-20 10:23 GMT+03:00 Martijn Bos :
> Hi Konstantin,
>
> On 2016-04-20 01:25:25, Konstantin Kolinko wrote:
>> 2016-04-19 23:00 GMT+03:00 Martijn Bos :
>> > Hi all,
>> >
>> > (I post in this list since I downloaded from tomcat.apache.org. If there 
>> > is a more appropriate list, off course I will try overthere)
>> >
>> > 1 - Downloaded the taglibs from 
>> > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5
>>
>> The "verify" word on above page links to a detailed instruction,
>> https://www.apache.org/info/verification.html
>>
>> > 2 - Downloaded the PGP signatures for the files
>> > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s)  of the 
>> > files)
>> > 3 - Imported the keys into gpg:
>> > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS
>> > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes 
>> > " geïmporteerd
>> > gpg:   Totaal aantal verwerkt: 1
>> > gpg: geïmporteerd: 1  (RSA: 1)
>> > martijn@radijs:~/external_documents/Downloads$
>> >
>> > 4 - checked the signature of the downloaded files:
>> > martijn@radijs:~/external_documents/Downloads$ gpg 
>> > taglibs-standard-impl-1.2.5.jar.asc
>>
>> The above verification command is wrong. You must specify 2 file
>> arguments to gpg --verify.  See the verification.html page that I
>> mentioned above.
>>
>
> Thank you. I didn't read the page in the first place, because I thought I 
> know it all :-(
> (Once again I'm proven wrong)
>
> However (call me stuborn), as far as I understand, in this case my way is not 
> wrong per se.
> The verify is with a detached signature. gpg can deduct (and find) the name 
> of the file, which was signed, from the name of the detached signature.
>
> Below I copy/pasted the same verification with 1 and with 2 arguments. To me 
> the results looks the same
>
> (If the signature and the file name do not match, then my approach will not 
> work at all, ofcourse)
>
>> > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld 
>> > ondertekend te zijn
>> > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA 
>> > sleutel-ID A7A0233C
>> > gpg: Goede handtekening van "Jeremy Boynes "
>> > gpg: Noot: Deze sleutel is vervallen!
>> > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2  92DA A54A 
>> > D08E A7A0 233C
>> >
>> > It's in dutch :-)
>>
>> Executing the below command before the above one should switch it to English.
>> LANG=C
>>
>> Maybe it also needs  export LANG, I do not remember.
>>
>
> The moment I read your comment I thought:"Could've done that myself"
>
> So ... now in enlish, so everyone can read it:
>
>
> martijn@radijs:~/external_documents/Downloads$ export LANG=C
> martijn@radijs:~/external_documents/Downloads$ gpg --verify 
> taglibs-standard-compat-1.2.5.jar.asc
> gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar'
> gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C
> gpg: Good signature from "Jeremy Boynes "
> gpg: Note: This key has expired!
> Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2  92DA A54A D08E A7A0 233C
> martijn@radijs:~/external_documents/Downloads$
>
>
> And with the signed file as a second argument:
>
> martijn@radijs:~/external_documents/Downloads$ gpg --verify 
> taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar
> gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C
> gpg: Good signature from "Jeremy Boynes "
> gpg: Note: This key has expired!
> Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2  92DA A54A D08E A7A0 233C
> martijn@radijs:~/external_documents/Downloads$

There was a blog post, explaining the difference.
See a link here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57103#c6

The issue is that you goal is to verify integrity of the "jar" file.
The 1-arg invocation validates integrity of "asc" file. Whether that
result says anything about the jar depends on what the asc file is.
You may be fooled into a false positive.

The difference between two invocations is the following line:

> gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar'

It is good that it is printed, but it is easy to miss the case when
that line is missing.


>> > The message is telling me that the file is signed by key A7A0233C
>> > (I never did sign this key myself..there is no trust..so gpg also tells me 
>> > that)
>> > Then gpg tells me "This key is expired"!!!
>> >
>> > I'm not sure what to think of this...Is this a problem, or am I just to 
>> > paranoid?
>> >
>> > Can anyone shine his/her light on this.
>>
>>
>> $ gpg --list-keys A7A0233C
>>
>> pub   2048R/A7A0233C 2012-02-25 [expired: 2016-02-25]
>> uid  Jeremy Boynes 
>>
>>
>> 1. Binaries released and signed before February 2016 are OK.
>>
>
> Thanks, ultimately, that is what I wanted

Re: pgp-keys jsp taglibs

2016-04-20 Thread Martijn Bos

Hi Konstantin,

On 2016-04-20 01:25:25, Konstantin Kolinko wrote:
> 2016-04-19 23:00 GMT+03:00 Martijn Bos :
> > Hi all,
> >
> > (I post in this list since I downloaded from tomcat.apache.org. If there is 
> > a more appropriate list, off course I will try overthere)
> >
> > 1 - Downloaded the taglibs from 
> > http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5
> 
> The "verify" word on above page links to a detailed instruction,
> https://www.apache.org/info/verification.html
> 
> > 2 - Downloaded the PGP signatures for the files
> > 2 - Downloaded KEYS. (The pgp public keys from the releaser(s)  of the 
> > files)
> > 3 - Imported the keys into gpg:
> > martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS
> > gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes 
> > " geïmporteerd
> > gpg:   Totaal aantal verwerkt: 1
> > gpg: geïmporteerd: 1  (RSA: 1)
> > martijn@radijs:~/external_documents/Downloads$
> >
> > 4 - checked the signature of the downloaded files:
> > martijn@radijs:~/external_documents/Downloads$ gpg 
> > taglibs-standard-impl-1.2.5.jar.asc
> 
> The above verification command is wrong. You must specify 2 file
> arguments to gpg --verify.  See the verification.html page that I
> mentioned above.
> 

Thank you. I didn't read the page in the first place, because I thought I know 
it all :-(
(Once again I'm proven wrong)

However (call me stuborn), as far as I understand, in this case my way is not 
wrong per se.
The verify is with a detached signature. gpg can deduct (and find) the name of 
the file, which was signed, from the name of the detached signature.

Below I copy/pasted the same verification with 1 and with 2 arguments. To me 
the results looks the same

(If the signature and the file name do not match, then my approach will not 
work at all, ofcourse)

> > gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld 
> > ondertekend te zijn
> > gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA 
> > sleutel-ID A7A0233C
> > gpg: Goede handtekening van "Jeremy Boynes "
> > gpg: Noot: Deze sleutel is vervallen!
> > Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2  92DA A54A 
> > D08E A7A0 233C
> >
> > It's in dutch :-)
> 
> Executing the below command before the above one should switch it to English.
> LANG=C
> 
> Maybe it also needs  export LANG, I do not remember.
> 

The moment I read your comment I thought:"Could've done that myself"

So ... now in enlish, so everyone can read it:


martijn@radijs:~/external_documents/Downloads$ export LANG=C

martijn@radijs:~/external_documents/Downloads$ gpg --verify 
taglibs-standard-compat-1.2.5.jar.asc   
gpg: assuming signed data in `taglibs-standard-compat-1.2.5.jar'

gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C  

gpg: Good signature from "Jeremy Boynes "   

gpg: Note: This key has expired!

Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2  92DA A54A D08E A7A0 233C 

martijn@radijs:~/external_documents/Downloads$


And with the signed file as a second argument:

martijn@radijs:~/external_documents/Downloads$ gpg --verify 
taglibs-standard-compat-1.2.5.jar.asc taglibs-standard-compat-1.2.5.jar
gpg: Signature made Tue Mar 10 17:11:38 2015 CET using RSA key ID A7A0233C  

gpg: Good signature from "Jeremy Boynes "   

gpg: Note: This key has expired!

 
Primary key fingerprint: 8B46 CA49 EF48 37B8 C7F2  92DA A54A D08E A7A0 233C 

 
martijn@radijs:~/external_documents/Downloads$

> > The message is telling me that the file is signed by key A7A0233C
> > (I never did sign this key myself..there is no trust..so gpg also tells me 
> > that)
> > Then gpg tells me "This key is expired"!!!
> >
> > I'm not sure what to think of this...Is this a problem, or am I just to 
> > paranoid?
> >
> > Can anyone shine his/her light on this.
> 
> 
> $ gpg --list-keys A7A0233C
> 
> pub   2048R/A7A0233C 2012-02-25 [expired: 2016-02-25]
> uid  Jeremy Boynes 
> 
> 
> 1. Binaries released and signed before February 2016 are OK.
>

Re: pgp-keys jsp taglibs

2016-04-19 Thread Konstantin Kolinko

2016-04-19 23:00 GMT+03:00 Martijn Bos :
> Hi all,
>
> (I post in this list since I downloaded from tomcat.apache.org. If there is a 
> more appropriate list, off course I will try overthere)
>
> 1 - Downloaded the taglibs from 
> http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5

The "verify" word on above page links to a detailed instruction,
https://www.apache.org/info/verification.html

> 2 - Downloaded the PGP signatures for the files
> 2 - Downloaded KEYS. (The pgp public keys from the releaser(s)  of the files)
> 3 - Imported the keys into gpg:
> martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS
> gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes " 
> geïmporteerd
> gpg:   Totaal aantal verwerkt: 1
> gpg: geïmporteerd: 1  (RSA: 1)
> martijn@radijs:~/external_documents/Downloads$
>
> 4 - checked the signature of the downloaded files:
> martijn@radijs:~/external_documents/Downloads$ gpg 
> taglibs-standard-impl-1.2.5.jar.asc

The above verification command is wrong. You must specify 2 file
arguments to gpg --verify.  See the verification.html page that I
mentioned above.

> gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld 
> ondertekend te zijn
> gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA sleutel-ID 
> A7A0233C
> gpg: Goede handtekening van "Jeremy Boynes "
> gpg: Noot: Deze sleutel is vervallen!
> Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2  92DA A54A 
> D08E A7A0 233C
>
> It's in dutch :-)

Executing the below command before the above one should switch it to English.
LANG=C

Maybe it also needs  export LANG, I do not remember.

> The message is telling me that the file is signed by key A7A0233C
> (I never did sign this key myself..there is no trust..so gpg also tells me 
> that)
> Then gpg tells me "This key is expired"!!!
>
> I'm not sure what to think of this...Is this a problem, or am I just to 
> paranoid?
>
> Can anyone shine his/her light on this.


$ gpg --list-keys A7A0233C

pub   2048R/A7A0233C 2012-02-25 [expired: 2016-02-25]
uid  Jeremy Boynes 


1. Binaries released and signed before February 2016 are OK.

2. Jeremy needs to do something with his key before signing a next
release (if there ever be one).
As said elsewhere, it is possible to change expiration date of a key
without a need to generate a new one,

http://unix.stackexchange.com/questions/177291/how-to-renew-an-expired-keypair-with-gpg

http://superuser.com/questions/813421/can-you-extend-the-expiration-date-of-an-already-expired-gpg-key

https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-an-expiration-date-less-than-two-years

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

pgp-keys jsp taglibs

2016-04-19 Thread Martijn Bos

Hi all,

(I post in this list since I downloaded from tomcat.apache.org. If there is a 
more appropriate list, off course I will try overthere)

1 - Downloaded the taglibs from 
http://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5
2 - Downloaded the PGP signatures for the files
2 - Downloaded KEYS. (The pgp public keys from the releaser(s)  of the files)
3 - Imported the keys into gpg:
martijn@radijs:~/external_documents/Downloads$ gpg --import KEYS
gpg: sleutel A7A0233C: publieke sleutel "Jeremy Boynes " 
geïmporteerd
gpg:   Totaal aantal verwerkt: 1
gpg: geïmporteerd: 1  (RSA: 1)
martijn@radijs:~/external_documents/Downloads$ 

4 - checked the signature of the downloaded files:
martijn@radijs:~/external_documents/Downloads$ gpg 
taglibs-standard-impl-1.2.5.jar.asc 
gpg: gegevens in `taglibs-standard-impl-1.2.5.jar' worden verondersteld 
ondertekend te zijn
gpg: Ondertekening gemaakt op di 10 mrt 2015 17:11:32 CET met RSA sleutel-ID 
A7A0233C
gpg: Goede handtekening van "Jeremy Boynes "
gpg: Noot: Deze sleutel is vervallen!
Vingerafdruk van de primaire sleutel: 8B46 CA49 EF48 37B8 C7F2  92DA A54A D08E 
A7A0 233C

It's in dutch :-)
The message is telling me that the file is signed by key A7A0233C
(I never did sign this key myself..there is no trust..so gpg also tells me that)
Then gpg tells me "This key is expired"!!!

I'm not sure what to think of this...Is this a problem, or am I just to 
paranoid?

Can anyone shine his/her light on this.

-- 
Met vriendelijke groet,

Martijn Bos

(Public pgp-key : http://maboc.nl/pubkey.maboc.asc)


signature.asc
Description: Digital signature

Re: pgp-keys jsp taglibs

Re: pgp-keys jsp taglibs

Re: pgp-keys jsp taglibs

pgp-keys jsp taglibs

4 matches

Site Navigation

Mail list logo

Footer information