Re: OpenSSL version 1.0.1g release signed with unauthorized key???

2014-04-09 Thread Jakob Bohm
Attention: The .asc file I downloaded directly from openssl.org for the 
1.0.1g tarball was signed with a key NOT authorized by the 
fingerprints.txt file distributed in previous tarballs, nor by the 
(unverifiable) fingerprints.txt available from


   http://www.openssl.org/docs/misc/

Specifically, it was signed by a PGP key purporting to belong to Dr. 
Henson, but with a different identifier and a different e-mail address

than the authorized key listed for him in fingerprints.txt.

I suspect this is just a mixup at your end, but one cannot feel too
sure without a valid file signature consistent with the securely 
distributed signature list.


For now, I will have to avoid installing this critical security update
and try the workaround instead.

On 4/7/2014 7:38 PM, OpenSSL wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


OpenSSL version 1.0.1g released
===

OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/

The OpenSSL project team is pleased to announce the release of
version 1.0.1g of our open source toolkit for SSL/TLS. For details
of changes and known issues see the release notes at:

 http://www.openssl.org/news/openssl-1.0.1-notes.html

OpenSSL 1.0.1g is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
http://www.openssl.org/source/mirror.html):

  * http://www.openssl.org/source/
  * ftp://ftp.openssl.org/source/

The distribution file name is:

 o openssl-1.0.1g.tar.gz
   Size: 4509047
   MD5 checksum: de62b43dfcd858e66a74bee1c834e959
   SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

The checksums were calculated using the following commands:

 openssl md5 openssl-1.0.1g.tar.gz
 openssl sha1 openssl-1.0.1g.tar.gz

Yours,

The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1
ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN
TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e
uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU
jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k
+gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR
zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF
N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/
4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6
pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0
kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k
iI/CjhJrI2B83C48m2kE
=lxo1
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Announcement Mailing List openssl-annou...@openssl.org
Automated List Manager   majord...@openssl.org




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: OpenSSL version 1.0.1g release signed with unauthorized key???

2014-04-09 Thread Dustin Oprea
On Apr 9, 2014 7:30 PM, Jakob Bohm jb-open...@wisemo.com wrote:

 Attention: The .asc file I downloaded directly from openssl.org for the
1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt
file distributed in previous tarballs, nor by the (unverifiable)
fingerprints.txt available from

http://www.openssl.org/docs/misc/

 Specifically, it was signed by a PGP key purporting to belong to Dr.
Henson, but with a different identifier and a different e-mail address
 than the authorized key listed for him in fingerprints.txt.

 I suspect this is just a mixup at your end, but one cannot feel too
 sure without a valid file signature consistent with the securely
distributed signature list.

 For now, I will have to avoid installing this critical security update
 and try the workaround instead.

Not great timing.

Dustin


 On 4/7/2014 7:38 PM, OpenSSL wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256


 OpenSSL version 1.0.1g released
 ===

 OpenSSL - The Open Source toolkit for SSL/TLS
 http://www.openssl.org/

 The OpenSSL project team is pleased to announce the release of
 version 1.0.1g of our open source toolkit for SSL/TLS. For details
 of changes and known issues see the release notes at:

  http://www.openssl.org/news/openssl-1.0.1-notes.html

 OpenSSL 1.0.1g is available for download via HTTP and FTP from the
 following master locations (you can find the various FTP mirrors
under
 http://www.openssl.org/source/mirror.html):

   * http://www.openssl.org/source/
   * ftp://ftp.openssl.org/source/

 The distribution file name is:

  o openssl-1.0.1g.tar.gz
Size: 4509047
MD5 checksum: de62b43dfcd858e66a74bee1c834e959
SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

 The checksums were calculated using the following commands:

  openssl md5 openssl-1.0.1g.tar.gz
  openssl sha1 openssl-1.0.1g.tar.gz

 Yours,

 The OpenSSL Project Team.

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.11 (GNU/Linux)

 iQIcBAEBCAAGBQJTQtiiAAoJENNXdQf6QOniC/EQALRkau9Gx+qzyp1nx1FDTJI1
 ox93n7SKC3QIjX4veVuFjpaPymNQXVRM8IbgET5tE4GPT5w+PrscpyGSJJr8yvWN
 TKy48JSKl13GVMODnEC6nEffsS/sci5o2PHXhDYa7aC+xRF6UUSMa8tqXnhGJP7e
 uv7a1tYjtgE8Ix9tdoK32UkPOM0Z1qr11lPFDdG0GrIs+mbjPirdKSgvQm22w4IU
 jyn5AmmReA6ZnIpffOHGQY5OgpGTg4yg+aaFKenisOfIL80raNZlVuWrzDkTUS9k
 +gikqtBRg1pFMd1UGpl0S7sIXZNm01yv4K4aO3a9aykXqPQLOc8WmvfDgf99+8HR
 zUrowh7Xf1CvHsgIs4s0XaggZdXhkXpMpSWdWpVh7ZVm/TPInoPWwyj8Zp/TL8XF
 N/GrNHRLuWvSgCuyA7qhkee33FmtCblnYTHSLyGQrVpfq/cVEzvpznsZnObjFG+/
 4Gss0qUVQZ0LJUUKZHx5cGvHliXYEeZQaBz/VLJ7J8fvy6Fsp0vKFjbrobG6srB6
 pa6NYQKjHhobx+eEW380j3r60iBiz1GjdMSOdLvnSOA9dOcWmXFxl5GLcASnM+F0
 kGtZBjLXsaImnp749V50sme+bNgQ/ErUvikTLXefk0rtUnfjCmJec44Kn5Gh7J1k
 iI/CjhJrI2B83C48m2kE
 =lxo1
 -END PGP SIGNATURE-
 __
 OpenSSL Project http://www.openssl.org
 Announcement Mailing List openssl-annou...@openssl.org
 Automated List Manager   majord...@openssl.org



 Enjoy

 Jakob
 --
 Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
 Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
 This public discussion message is non-binding and may contain errors.
 WiseMo - Remote Service Management for PCs, Phones and Embedded
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org


Re: OpenSSL version 1.0.1g release signed with unauthorized key???

2014-04-09 Thread Wim Lewis

On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote:
 Attention: The .asc file I downloaded directly from openssl.org for the 
 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt 
 file distributed in previous tarballs, nor by the (unverifiable) 
 fingerprints.txt available from
 
   http://www.openssl.org/docs/misc/
 
 Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, 
 but with a different identifier and a different e-mail address
 than the authorized key listed for him in fingerprints.txt.
 
 I suspect this is just a mixup at your end, but one cannot feel too
 sure without a valid file signature consistent with the securely distributed 
 signature list.

I also noticed this--- previous tarballs were all signed by the F295C759 key 
(fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball 
were both signed by the FA40E9E2 key. However, the new key (all three of its 
userids) *is* signed by the old key, so there is I think some assurance that 
the new key also belongs to Dr Stephen Henson and that the release is 
legitimate.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org