Copy Current GPG Installation to Another Server

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Wed Mar 18 00:34:45 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/17/2015 10:04 PM, Doug Barton wrote:
> On 3/17/15 1:54 PM, Peter Lebbing wrote:
>>>> -----Original Message-----



> 
> Assuming you get the package, the signature, and the fingerprint
> from the same *.gnupg.org resources, what does that buy you?

Strictly speaking there could be multiple servers hosting the various
resources and only one of which is compromised. It is also quite
common to download the source from mirror rather than *.gnupg.org directly

> 
> More extensive checking would be great, but would require a lot of 
> documentation to teach the users how to do it ... are you
> volunteering to write it? :)
> 

Its included in every announcement[0]. Just a verification by
cross-checking this information in various archives [1] mirroring the
announcement reduce the likelihood of an active compromise, and is a
far better to try to bootstrap a key validity in the absence of a
direct key path.

References:
[0] http://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html
[1] http://permalink.gmane.org/gmane.org.fsf.announce/2278

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"If you choose to sail upon the seas of banking, build your bank as
you would your boat, with the strength to sail safely through any storm."
(Jacob Safra (1891–1963))
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVCLoKAAoJEP7VAChXwav6cpgIALaRMFFd4kLC7edFmkEcYTyl
2GmgxHG7wVYMI/F06DpO4ifMJPQJ/wqadTJPN4o64sjd6PEL5rvWeD+hlA8a+kyj
8PSW3ENzgKCwV72XAzqDzYnvD3i/N0ZV02Wbi0k4gc4SfS98ZPbOroqTqMHcUjVi
OHh+QpnyPGBgWDAq3+MbRxscWSPQFaW9P9HzMKF5Nnu3oWz/dp327YmB1i9176Nw
UoKfhFR6YoPTXBt8WN0QQWAY4ZKRYfRRn63FJYwQSXjhYbz4sn4dPZUjKvej3OH/
ziTFUig62O0owaCK7AaiSbl3qJnL+li1ve0lcnz5bnegck+aYq4ukCp9ZeEvA88=
=MQjq
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list