Re: OpenSSL version 1.0.1g release signed with unauthorized key???
Attention: The .asc file I downloaded directly from openssl.org for the 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt file distributed in previous tarballs, nor by the (unverifiable) fingerprints.txt available from http://www.openssl.org/docs/misc/ Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, but with a different identifier and a different e-mail address than the authorized key listed for him in fingerprints.txt. I suspect this is just a mixup at your end, but one cannot feel too sure without a valid file signature consistent with the securely distributed signature list. For now, I will have to avoid installing this critical security update and try the workaround instead. On 4/7/2014 7:38 PM, OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.1g released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1g.tar.gz Size: 4509047 MD5 checksum: de62b43dfcd858e66a74bee1c834e959 SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c The checksums were calculated using the following commands: openssl md5 openssl-1.0.1g.tar.gz openssl sha1 openssl-1.0.1g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1 ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k +gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/ 4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6 pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0 kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k iI/CjhJrI2B83C48m2kE =lxo1 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-annou...@openssl.org Automated List Manager majord...@openssl.org Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL version 1.0.1g release signed with unauthorized key???
On Apr 9, 2014 7:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: Attention: The .asc file I downloaded directly from openssl.org for the 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt file distributed in previous tarballs, nor by the (unverifiable) fingerprints.txt available from http://www.openssl.org/docs/misc/ Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, but with a different identifier and a different e-mail address than the authorized key listed for him in fingerprints.txt. I suspect this is just a mixup at your end, but one cannot feel too sure without a valid file signature consistent with the securely distributed signature list. For now, I will have to avoid installing this critical security update and try the workaround instead. Not great timing. Dustin On 4/7/2014 7:38 PM, OpenSSL wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.1g released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1g.tar.gz Size: 4509047 MD5 checksum: de62b43dfcd858e66a74bee1c834e959 SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c The checksums were calculated using the following commands: openssl md5 openssl-1.0.1g.tar.gz openssl sha1 openssl-1.0.1g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1 ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k +gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/ 4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6 pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0 kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k iI/CjhJrI2B83C48m2kE =lxo1 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-annou...@openssl.org Automated List Manager majord...@openssl.org Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL version 1.0.1g release signed with unauthorized key???
On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote: Attention: The .asc file I downloaded directly from openssl.org for the 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt file distributed in previous tarballs, nor by the (unverifiable) fingerprints.txt available from http://www.openssl.org/docs/misc/ Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, but with a different identifier and a different e-mail address than the authorized key listed for him in fingerprints.txt. I suspect this is just a mixup at your end, but one cannot feel too sure without a valid file signature consistent with the securely distributed signature list. I also noticed this--- previous tarballs were all signed by the F295C759 key (fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball were both signed by the FA40E9E2 key. However, the new key (all three of its userids) *is* signed by the old key, so there is I think some assurance that the new key also belongs to Dr Stephen Henson and that the release is legitimate. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org