Heuristics of gpg's output
stebe at mailbox.org
stebe at mailbox.org
Sat Feb 13 18:20:09 CET 2016
Hi,
a few days ago I downloaded
http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-testing-amd64-DVD-1.iso
Resolving hostname »gensho.acc.umu.se (gensho.acc.umu.se)«...
130.239.18.176, 2001:6b0:e:2018::176
from a secondary mirror located in Sweden.
Before that I had installed a DNSSEC capable DNS resolver software as an
extension in my browser and set its standard URL as standard DNS server in
my router. I did not activate the option that denies connections if no
DNSSEC record could be found/checked.
I looked for the available keys for the different CD releases pointing my
browser to the Debian website (DNSSec info says: OK)
pub 4096R/64E6EA7D 2009-10-03
Primary key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6
EA7D
uid Debian CD signing key <debian-cd at lists.debian.org>
pub 4096R/6294BE9B 2011-01-05
Primary key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294
BE9B
uid Debian CD signing key <debian-cd at lists.debian.org>
sub 4096R/11CD9819 2011-01-05
pub 4096R/09EA8AC3 2014-04-15
Primary key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA
8AC3
uid Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>
sub 4096R/6BD05CFB 2014-04-15
being the last one in the list the key I was looking for.
#verifying the signature I downloaded from that very server
LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso
gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID 09EA8AC3
gpg: BAD signature from "Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>"
me at mymachine:/media/sdb1$ LC_ALL=C gpg2 --edit-key 09EA8AC3
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/09EA8AC3 created: 2014-04-15 expires: never usage: SC
trust: unknown validity: unknown
sub 4096R/6BD05CFB created: 2014-04-15 expires: never usage: E
[ unknown] (1). Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>
gpg> fpr
pub 4096R/09EA8AC3 2014-04-15 Debian Testing CDs Automatic Signing Key
<debian-cd at lists.debian.org>
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA
8AC3
So, what does that information tell us?
Would that information suffice to think that the iso file is/was
compromised?
Would that information suffice to think that the server is/was
compromised?
What would such information tell us exactly?
I am trying to figure out what does and what it does not tell us in order
to better understand the heuristic scope of gpg's output.
Any help, hint or assessment is appreciated.
Cheers,
Stebe
More information about the Gnupg-users
mailing list