gnewsense-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?


From: Sam Kuper
Subject: [gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?
Date: Fri, 20 Dec 2013 03:02:26 +0000

Dear all,

I just had a quick conversation on the #gnewsense IRC channel about
how to trust source or binary downloads from the gNewSense website.

My problem is that:

1. I'm not part of a GPG web of trust through which I can form a chain
to the keys used to sign releases on the gNewSense website; and

2. the gNewSense website does not support SSL/TLS.

In other words, neither of the standard mechanisms against MITM or
similar tampering are available to me with respect to gNewSense.

OK, so the next best thing is to download the gNewSense GPG keyring
file gnewsense-keyring.gpg from somewhere that does have a "secure"
connection ( 
https://savannah.nongnu.org/project/memberlist-gpgkeys.php?group=gnewsense
) and try to verify downloads with that. First steps:

$ gpg --import gnewsense-keyring.gpg
gpg: key DF4DA2F8: public key "Anthony LETELLIER
<address@hidden>" imported
gpg: key 27FCF12E: public key "Karl Goetz <address@hidden>" imported
gpg: key AA95C349: public key "Danny Clark <address@hidden>" imported
gpg: key 10E525F4: public key "Delyan Raychev (liberty4all)
<address@hidden>" imported
gpg: key 47486962: public key "Jason Self <address@hidden>" imported
gpg: key C79A94CF: public key "Albino Biasutti Neto
<address@hidden>" imported
gpg: key B6AD4643: public key "rsiddharth (rsd)
<address@hidden>" imported
gpg: Total number processed: 7
gpg:               imported: 7  (RSA: 2)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Well, alright. Now I download MD5SUMS.gpg from
http://archive.gnewsense.org/gnewsense-three/gnewsense/dists/parkes/main/installer-mipsel/current/images/
and try to verify it:

$ gpg --verify MD5SUMS.gpg
gpg: Signature made Mon  5 Aug 21:09:22 2013 BST using DSA key ID BF119352
gpg: Can't check signature: public key not found

Not so good. Anybody here able to help with this?

If not, is there an ETA for the implementation of SSL/TLS on the
gNewSense website; or a possibility the gNewSense project might start
serving its files through Savannah instead of (or in addition to)
directly from the gNewSense website, in order to benefit from
Savannah's HTTPS?

Many thanks,

Sam



reply via email to

[Prev in Thread] Current Thread [Next in Thread]