[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Canonical source for the new CD signing key's fingerprint?

on 21:03 Wed 16 Mar, Steve McIntyre (steve@einval.com) wrote:
> Dr. Ed Morbius wrote:
> >on 04:56 Wed 16 Mar, Todd A. Jacobs (codegnome.consulting+debian@gmail.com) wrote:
> >> I've recently downloaded the net installation image for Squeeze, but
> >> am really uncomfortable with the fact that I can't establish a firm
> >> trust path to the CD signing key. Is there a canonical place to get
> >> the fingerprint of this key, so that at least one can have some
> >> confidence that the key one is validating with is at least the
> >> widely-known (and generally accepted) one?
> >> 
> >> As a hack, I've done this on an Ubuntu 10.10 system:
> >> 
> >>   gpg --recv-keys 6294BE9B
> >>   gpg --keyring /usr/share/keyrings/debian-keyring.gpg -kvv 6294BE9B
> >> 
> >> While this shows that this particular key has been signed by some
> >> Debian developers, it doesn't actually validate that the key is the
> >> official key for verifying the ISOs.
> >> 
> >> Can anyone point me to ANY debian.org page that defines the official
> >> key for CD images? Major bonus for any official links to fingerprints
> >> for the CD signing key.
> >
> >You don't trust a key by where you got it.
> >
> >You trust a key by who's signed it.
> >
> >    http://www.rubin.ch/pgp/weboftrust.en.html
> >    http://www.pgpi.org/doc/pgpintro/
> >
> >Otherwise: you're saying you trust DNS more than PKI?
> >
> >It would be a Good Thing for the Debian CD signing key to be more widely
> >signed (assuming that 6294BE9B is in fact the signing key).
> >
> >My signing this email simply says that a person who has access to the
> >associated GPG private key wrote it, and (assuming the signature
> >validates), content hasn't been altered.
> >
> >Without known trusted signatures on my key, I could be anybody.
> 
> The CD signing key 6294BE9B has been signed by a number of people,
> including the CD team leader (me!), a previous DPL (well, also me!)
> and the two current Release Managers. I'll be adding more signatures
> soon, I hope. That key has not been in existence very long, and these
> things take time...

I did actually take the time to D/L the signing key, its signatures, and
/their/ signatures.  Though the current CD release key isn't
particularly well-signed, through other DDs there many trust paths which
can arrive at it.  My comment was intentionally accentuating the
paranoid viewpoint.

Debian (and other free software projects) generally take the whole
concept of software integrity and authentication through the development
and distribution chain far more rigorously than the proprietary world.

 
> In the meantime (and I've mentioned this to the OP over on the -cd
> list), an update to the Debian website should go live shortly listing
> all the keys we use / have used, as it seems some people prefer that
> to the WoT.

That list should, of course, be signed.  With a well-trusted key or
keys....


NB:  some Debian keys (DPL, security, etc.) are pretty widely
distributed and would make for good candidates to sign keys which are
periodically generated/updated (CD release keys, repo keys, etc).

-- 
Dr. Ed Morbius, Chief Scientist /            |
  Robot Wrangler / Staff Psychologist        | When you seek unlimited power
Krell Power Systems Unlimited                |                  Go to Krell!
Reply to: