[git] gnupg-doc - branch, master, updated. fa61217e26a97c4b9f3294746a581aee5eb47ad8

by Neal H. Walfield cvs at cvs.gnupg.org
Tue Nov 24 11:45:10 CET 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GnuPG website and other docs".

The branch, master has been updated
       via  fa61217e26a97c4b9f3294746a581aee5eb47ad8 (commit)
      from  a7cb96cf8a14560ee8f31525553cae6cad6ace1b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fa61217e26a97c4b9f3294746a581aee5eb47ad8
Author: Neal H. Walfield <neal at gnu.org>
Date:   Tue Nov 24 11:44:33 2015 +0100

    web: Improve the text describing how to check a file's integrity.
    
    GnuPG-bug-id: 1648

diff --git a/web/download/integrity_check.org b/web/download/integrity_check.org
index 3825fbb..f9ef2d4 100644
--- a/web/download/integrity_check.org
+++ b/web/download/integrity_check.org
@@ -6,36 +6,87 @@
 * Integrity Check
 #+index: integrity check
 
-  In order to check that the version of GnuPG which you are going to
-  install is an original and unmodified one, you can do it in one of
-  the following ways.
+  You can check that the version of GnuPG that you want to install is
+  original and unmodified by either verifying the file's signature or
+  comparing the checksum with the one published in the release
+  announcement.
 
-** Using gpg
+** Verifying the File's Signature
 
   If you already have a trusted version of GnuPG installed, you can
-  simply check the supplied signature. For example to check the
-  signature of the file gnupg-{{{gnupg_ver}}}.tar.bz2 you would use
-  this command:
+  check the supplied signature.  For example, to check the signature
+  of the file gnupg-{{{gnupg_ver}}}.tar.bz2, you can use this command:
 
   {{{begin_example}}}
-  gpg {{{twodashes}}}verify gnupg-{{{gnupg_ver}}}.tar.bz2.sig gnupg-{{{gnupg_ver}}}.tar.bz2
+  $ gpg {{{twodashes}}}verify gnupg-{{{gnupg_ver}}}.tar.bz2.sig gnupg-{{{gnupg_ver}}}.tar.bz2
   {{{end_example}}}
 
-  This checks whether the signature file matches the source file. You
-  should see a message indicating that the signature is good and made
-  by of the [[../signature_key.org][signing keys]]. Make sure that you have the right key, either
-  by checking the fingerprint of that key with other sources or by
-  checking that the key has been signed by a trustworthy other key.
+  *Note: you should never use a GnuPG version you just downloaded to
+  check the integrity of the source* --- use an existing, trusted GnuPG
+  installation, e.g., the one provided by your distribution.
 
-  Never use a GnuPG version you just downloaded to check the integrity
-  of the source --- use an existing GnuPG installation.
+  If the output of the above command is similar to the following, then
+  either you don't have our distribution keys (our [[../signature_key.org][signing keys are
+  here]]) or the signature was generated by someone else and the file
+  should be treated suspiciously.
 
-** Using sha1sum
+  {{{begin_example}}}
+  gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
+  gpg: Can't check signature: No public key
+  gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
+  gpg: Can't check signature: No public key
+  {{{end_example}}}
+
+  If you instead see:
+
+  {{{begin_example}}}
+  gpg: Good signature from "Werner Koch (dist sig)" [unknown]
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
+  gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
+  gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe at fsij.org>" [unknown]
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
+  {{{end_example}}}
 
-   If you are not able to use an old version of GnuPG, you have to
-   verify the SHA1 checksum. Assuming you downloaded the file
-   gnupg-{{{gnupg_ver}}}.tar.bz2, you would run the =sha1sum=
-   command like this:
+  then you have a copy of our keys and the signatures are valid, but
+  either you have not marked the keys as trusted or the keys are a
+  forgery.  In this case, at the very least, you should compare the
+  fingerprints that are shown to those on the [[../signature_key.org][signing keys page]].  Even
+  better is to compare the fingerprints with those shown on our
+  business cards, which we handout at events that we attend.
+
+  Ideally, you'll see something like:
+
+  {{{begin_example}}}
+  gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
+  gpg: Good signature from "Werner Koch (dist sig)" [full]
+  gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
+  gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe at fsij.org>" [full]
+  {{{end_example}}}
+
+  This means that the signature is valid and that you trust this key
+  (either you signed it or someone you trusted did).
+
+** Comparing Checksums
+
+   If you are not able to use an old version of GnuPG, you can still
+   verify the file's SHA1 checksum.  This is less secure, because if
+   someone modified the files as they were transferred to you, it
+   would not be much more effort to modify the checksums that you see
+   on this webpage.  As such, if you use this method, you should
+   compare the checksums with those in release announcement.  This is
+   sent to the gnupg-announce mailing list (among others), which is
+   widely mirrored.  Don't use the mailing list archive on this
+   website, but find the announcement on several other websites and
+   make sure the checksum is consistent.  This makes it more difficult
+   for an attacker to trick you into installing a modified version of
+   the software.
+
+   Assuming you downloaded the file gnupg-{{{gnupg_ver}}}.tar.bz2, you
+   can run the =sha1sum= command like this:
 
    {{{begin_chksum}}}
    sha1sum gnupg-{{{gnupg_ver}}}.tar.bz2
@@ -48,10 +99,6 @@
    {{{gnupg_sha1}}}  gnupg-{{{gnupg_ver}}}.tar.bz2
    {{{end_chksum}}}
 
-   To be sure that this page has not been tampered, you may want to
-   compare the list below with the one included in the announcement
-   mail posted to several mailing list.
-
 ** List of SHA-1 check-sums
 
    For your convenience, all SHA-1 check-sums available for software

-----------------------------------------------------------------------

Summary of changes:
 web/download/integrity_check.org | 95 ++++++++++++++++++++++++++++++----------
 1 file changed, 71 insertions(+), 24 deletions(-)


hooks/post-receive
-- 
The GnuPG website and other docs
http://git.gnupg.org

More information about the Gnupg-commits mailing list