gnewsense-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] gNewSense Repository PGP Key

From: Jason Self
Subject: Re: [gNewSense-users] gNewSense Repository PGP Key
Date: Sun, 13 Dec 2009 10:01:21 -0800 
> Isn't a wiki an inherently bad place to post a PGP key?

There would be no harm in posting a public key on any website anywhere. In 
fact, public keys are supposed to be freely distributed and should be made as 
widely available as possible. It's the secret key that's supposed to remain, 
well, secret.

> It is clear that I don't understand the nuances of cryptographic key
> signing.

Perhaps you should read up on public key encryption.

http://en.wikipedia.org/wiki/Public_key_encryption
http://en.wikipedia.org/wiki/Man_in_the_middle_attack

> I thought that
> the purpose of the PGP key was to verify that the packages downloaded
> are: 
> a) the correct packages 
> and 
> b) downloaded without error.

You do use the public key to verify that the authenticity of the software being 
downloaded, but someone else's public key cannot be used to verify the 
signature done with a different secret key... you need to use the public key 
that corresponds to the secret key used to do the actual signing.

So in your example, if the public key were put on the wiki and then someone 
replaced it with a different public key, and you relied upon this other key, 
your computer would throw an error after not being able to verify the digital 
signatures and it would quickly become obvious that something was up.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]