Copy Current GPG Installation to Another Server
CRivard at merkleinc.com
Tue Mar 17 22:27:24 CET 2015
How do you check the fingerprint?
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Peter Lebbing
Sent: Tuesday, March 17, 2015 4:19 PM
To: Doug Barton
Cc: GnuPG Users
Subject: Re: Copy Current GPG Installation to Another Server
On 17/03/15 22:04, Doug Barton wrote:
> Assuming you get the package, the signature, and the fingerprint from
> the same *.gnupg.org resources, what does that buy you?
Assuming they're all protected by https, nothing.
What does verification of that signature buy you though? That your download wasn't corrupted?
> If you've somehow downloaded the wrong key by short Id, the signature
> won't validate. If you have the right key, it will. That's enough to
> tell the user that the contents of the package are unaltered.
If I were to place something nefarious inside a GnuPG download, I'd sign the result with a key I created with the short key ID 4F25E3B6. That way, your --recv-key command will retrieve both my key and Werners, and the signature will happily validate. Creating a short key ID collision is peanuts and can be done with off-the-shelf software on a laptop.
This rakes in not just the people who don't check the signature, but also all those who just verify the short key ID. Since it's hardly any effort, I'd do it, even though it probably only gains me a few percent coverage.
> More extensive checking would be great, but would require a lot of
> documentation to teach the users how to do it ... are you volunteering
> to write it? :)
No, but I'm also not telling people they can verify using the short key ID. No guidance is better than wrong guidance, IMHO. No offence meant, I appreciate you helping him out. I'm just trying to give some constructive criticism.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
Gnupg-users mailing list
Gnupg-users at gnupg.org
More information about the Gnupg-users