[gnutls-help] gpg verify issue with 3.4.9

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Mar 2 08:49:22 CET 2016 

On Wed 2016-03-02 03:57:02 +0100, Mark Rager wrote:
> Please forgive me if I have made any egregious errors in my process, I was
> unable to find an associated IRC channel for this project.  I recently
> obtained 3.4.9 from gnutls.org and with the provided key was unable to
> validate the authenticity of the download.

I think you're misunderstanding the output of GnuPG:

> $ gpg --verify gnutls-3.4.9.tar.xz.sig gnutls-3.4.9.tar.xz
>
> gpg: Signature made Wed 03 Feb 2016 02:23:48 AM CST using RSA key ID 9013B842
> gpg: Good signature from "Nikos Mavrogiannopoulos <nmav at gnutls.org>"
> gpg:                 aka "Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>"
>
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
>
> Primary key fingerprint: 1F42 4189 05D8 206A A754  CCDC 29EE 58B9 9686 5171
>     Subkey fingerprint: A812 CBFD FCDC 4D0B E7A0  9312 9D5E AAF6 9013 B842
> $

This tells you that the the signature over the package was made
correctly, and indicates the fingerprint of the signing key itself.
However, gnupg has no way of knowing whether the OpenPGP certificate
(which wrapps the key) actually belongs to Nikos -- it does not know where
that certificate came from.

This is accurate, but does not indicate a security vulnerability in
GnuTLS.  If the key with fingerprint 1F42 4189 05D8 206A A754 CCDC 29EE
58B9 9686 5171 does belong to Nikos (i believe it does) then all is
well.

If you want to tell GnuPG that you believe that this key belongs to
Nikos, so that it does not warn you any longer about it, you can make a
non-exportable certification using your own OpenPGP key, like this:

 gpg2 --lsign '1F42 4189 05D8 206A A754  CCDC 29EE 58B9 9686 5171'

after that, verification of the package signature should not have the
WARNING: message.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160302/c45c142c/attachment.sig>

More information about the Gnutls-help mailing list