Verification via the web of trust

Peter Lebbing peter at digitalbrains.com
Tue Mar 22 19:40:43 CET 2016


On 22/03/16 19:14, Andrew Gallagher wrote:
> Real world example. I wanted to install the latest copy of Apache for
> windows. It is signed by one William A Rowe Jr. I do not know William A
> Rowe Jr, nor do I know any of the people who have signed his key, nor am
> I ever likely to meet them, let alone trust them enough to verify other
> keys on my behalf.

By the looks of it, you could get an interesting alternate trust path here.

You say you run Debian. You can download digitally signed source code through
Debian, and in this source code, I see this file:

https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/upstream/signing-key.pgp

My guess is that this is the list of keys accepted for apache2 source code for
the Debian builds. Your William A Rowe Jr is in there. Apparently Debian trusts
him, and if you download it with apt-get source, you can get a verified genuine
copy of this file. So if the signature is valid for the key in this file, you
can be pretty darn sure that you have the right one. Otherwise, somebody managed
to subvert the integrity system of Debian.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list