Verifying and checksumming new release is somewhat cumbersom
wk at gnupg.org
Thu Nov 26 21:10:50 CET 2020
and thanks for asking.
On Thu, 26 Nov 2020 19:12, john doe said:
> Is there a URL to download those sha1sums and those public keyss as files?
The problem with sha1sums is that a single publication would be easy to
fake. The only known countermeasure is to widely distribute them. We
do have them on the website as you noticed, they are send out by signed
mail to several thousand subscribers, and our and other mail archives
carry the release announcement with the checksums.
No, there is no single file with the checksums because that would be a
too easy target for an attacker.
> and for the public key I could do something like:
> $ wget <URL-OF-PUBLIC-KEYS>
> $ gpg --import <PUBLIC-KEYS-FILES>
> $ gpg --verify *.sig
And please check the printed fingerprint against copies of the
fingerprint distributed in the same way as the checksums. The keys are
also quite well connected in the Web-of-Trust, which can also help to to
The advantage of the public keys and the fingerprints is that they do
not change and thus you only need to validate them once once and sign
the keys so that you can trust them in the future.
The release signing key as well as most commit signing keys are token
based and thus it is very unlikely that this key material will be
leaked. The worst what could happen is that the build machine is
compromised by dedicated malware which swaps the to be signed data
during the build process - so we would unnoticed sign them with the real
key. But well, that is quite advanced and enough people are building
from source and closely watch our repositories for signs of intrusion.
> I understand that for this last step I could also do:
> $ gpg --keyserver-options auto-key-retrieve veirfy *.sig
Don't. For verification always use
gpg --verify file.sig file
and check the output well. If you need to automate this, use gpgv and
put all the trusted signing keys into a dedicated keyring. For
automating this with gpg, I would suggest to write a gpgme based tool.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the Gnupg-users