Re: About GPG-signing the public RSA keys of Debian machines

[Kurt Roeckx <kurt@roeckx.be>]

On Tue, Oct 10, 2006 at 09:57:33PM +0200, Florent Rougon wrote:
> > For those that don't know those files:
> > http://www.spi-inc.org/secretary/spi-ca.crt
> > http://www.spi-inc.org/secretary/spi-ca-fingerprint.txt

So Joerg just replaced them with the new ones:
http://www.spi-inc.org/secretary/spi-ca.crt
http://www.spi-inc.org/secretary/spi-ca.crt.fingerprint.txt

(The name on http://www.spi-inc.org/secretary is confusing, but points
to the right file.)

And the old ones are now at:
http://www.spi-inc.org/secretary/spi-ca-old.crt
http://www.spi-inc.org/secretary/spi-ca-old-fingerprint.txt

They're both part of the ca-certificates package in testing and
unstable:
new: /etc/ssl/certs/SPI_CA_2006-cacert.pem
old: /etc/ssl/certs/spi-ca.pem

> I didn't know these URLs, and I wouldn't bet they are well-known among
> DDs... Anyway, I can verify the GPG sig of spi-ca-fingerprint.txt, but
> then I don't know what the MD5 and SHA1 sums in it correspond to.
> 
> The file contains:
> 
>   MD5 Fingerprint=ED:85:3A:FD:32:43:13:73:91:4D:94:06:C4:10:EB:E5
> 
> but unfortunately:
> 
>   % md5sum /etc/ssl/certs/spi-ca.pem
>   33922a1660820e44812e7ddc392878cb  /etc/ssl/certs/spi-ca.pem

As pointed out by others, you can get to it using openssl.

But you can also try and import the key in your browser, and they say
examine/view certificate, at which point it should show you the
MD5 sum and SHA1 sum too.

The fingerprint of an ssh key is also something you don't check by
running md5sum on a id_rsa.pub file, you use ssh-keygen -l for it.
But it's alot handier that the whole public key is also available
on the website.


Kurt