Re: The "CD signing key" (6294BE9B)

To: debian-user@lists.debian.org
Cc: debian-cd@lists.debian.org
Subject: Re: The "CD signing key" (6294BE9B)
From: Joel Rees <joel.rees@gmail.com>
Date: Mon, 7 Mar 2011 21:09:14 +0900
Message-id: <[🔎] AANLkTik=p0UFt8QmQAnco406fnG8Xb6E-_iyLYiBWDOd@mail.gmail.com>
In-reply-to: <20110306094327.GG1757@think.homelan>
References: <AANLkTikDy7J1bbnYxbkRe9ovpEwixO4Tej19TfnqN2oc@mail.gmail.com> <20110305155740.GF1757@think.homelan> <AANLkTimw_Cz+1CkmmZX6d-S-8gi69EzfjTodOgJBr_nU@mail.gmail.com> <20110306094327.GG1757@think.homelan>

I swear, I'm losing it. Blame it on my age, but I really don't want to
think I'm that old, yet.

On Sun, Mar 6, 2011 at 6:43 PM, Andrei Popescu <andreimpopescu@gmail.com> wrote:
> [not snipping in case you want to put it back on the list]

Yeah, I did intend to put this on the list, so I can find it again the
next time I forget how signing releases works.

> On Du, 06 mar 11, 08:54:01, Joel Rees wrote:
>> (I really hate embarrassing myself in my first post to a list. But, ...)
>
> Don't worry, you are not embarrassing yourself. It's very good that you
> ask these questions and the procedure is not quite clear.
>
>> On Sun, Mar 6, 2011 at 12:57 AM, Andrei Popescu
>> <andreimpopescu@gmail.com> wrote:
>> > On Sb, 05 mar 11, 23:47:38, Joel Rees wrote:
>> >>
>> >> I did go to the trouble of pulling the signatures and checksums off of
>> >> three different more-or-less randomly chosen mirrors, to check they
>> >> were the same, but I'd still feel a little more comfortable taking my
>> >> first spin with Debian if there were more evidence that the key that
>> >> the CDs are being signed with is officially claimed by the project.
>> >
>> > $ gpg --list-sigs 6294BE9B
>> > pub   4096R/6294BE9B 2011-01-05
>> > uid                  Debian CD signing key <debian-cd@lists.debian.org>
>> > sig          3442684E 2011-01-05  Steve McIntyre <steve@einval.com>
>> > sig          A40F862E 2011-01-05  Neil McGovern <maulkin@halon.org.uk>
>> > sig          95861109 2011-01-23  Ben Hutchings (DOB: 1977-01-11)
>> > sig          63C7CC90 2011-01-05  Simon McVittie <smcv@pseudorandom.co.uk>
>> > sig 3        6294BE9B 2011-01-05  Debian CD signing key <debian-cd@lists.debian.org>
>> > sub   4096R/11CD9819 2011-01-05
>> > sig          6294BE9B 2011-01-05  Debian CD signing key <debian-cd@lists.debian.org>
>>
>> Well, sure, if I have those in my gnupg keystore (or whatever that was called).
>>
>> I'm downloading and checking the timestamp/signature on a workstation
>> with Fedora on it. Which means that I had to dig back through the
>> gnupg docs and the debian documentation site to figure out to do the
>>
>> gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>>
>> and, even then, I get a message that the userid can't be found on each
>> of those userids. Oh.
>>
>> Now that I do a
>>
>> gpg --keyserver keyring.debian.org --recv-keys 3442684E A40F862E
>> C542CD59 63C7CC90 1B3045CE
>>
>> I get the names and e-mail addresses associated with the keys.
>>
>> > Now you need to find a trust-path to one of them. If you have a trusted
>> > Debian system you can install the package debian-keyring, which should
>> > contain at least one (most probably all) of the keys above.
>>
>> Is there an RPM for that? ;-/
>>
>> Actually, an RPM for it might not be a bad idea, for perpetual newbies
>> like me. :-( Except that I wouldn't really want Debian keys mixed with
>> Fedora keys in the Fedora system. (I pulled the Debian keys into a
>> non-admin user on the Fedora system that I never use, except for for
>> going to places I think I can trust for downloading system software.)
>>
>> However, If the CD signing key had shown up in an announcement like
>> the archiving keys did, I'd be sure enough that the key is both from
>> the debian organization and that it is valid. (Out-of-band
>> confirmation.) I trust the sites under debian.org for this more than I
>> trust random keyservers I've never heard of.
>
> I agree that the CD signing key should be announced as well, but you
> sure are aware that this is not a real trust-path either.

Right. That's why I compare (diff or cmp) the posted checksums from
several randomly chosen mirrors. Reduces the chance of a
man-in-the-middle going unnoticed, and of getting a rogue mirror, etc.

If someone doesn't beat me to it, I plan someday to build a tool that
takes the mirror list, automatically picks several, and pulls the
checksums off each to compare them. Still not ironclad, but adds
another low-to-medium wall for all but the truly motivated attackers.

I've also got to start getting around to the local conferences so I
can start working on the human networking thing.

> You might want to post to debian-cd about this, but do search the
> archives first, in case it was already discussed.

Don't see anything there back to January. Should I cross-post this? 8-p

>> And I trust keyring.debian.org as much for this as I trust the gnu.org
>> keyserver for it.
>>
>> I did, eventually, find the tracking list for the keyring package, but
>> by then I wasn't sure what I was looking at any more, it was late, and
>> I couldn't keep my eyes open. (Dang, I hate getting old.)
>>
>> >> Okay, I did a gpg --recv-keys on the key 6294BE9B from
>> >> keyring.debian.org , and tried gpg --verify on the downloaded netinst
>> >> image, and got the bad signature message. (I think I got the syntax
>> >> right.)
>>
>> (erk. Thought I had.)
>>
>> > Do you mind posting the exact commands used and output?
>>
>> Heh.
>>
>> Here's the wrong command I used:
>>
>> gpg --verify SHA512SUMS.sign debian-6.0.0-i386-netinst.iso
>>
>> While I was taking a shower, I realized that the list of checksums was
>> what was signed, not the CD image.
>>
>> gpg --verify SHA512SUMS.sign SHA512SUMS
>>
>> produces the valid signature result. I had previously used openssl to
>> check the checksums, so I knew the checksums matched, just didn't have
>> full confidence that the signing key was correct until I figured out
>> the semantic error in my syntax. I mean, until I realized I was
>> checking the signature against the wrong file.
>
> At least this part is now clear ;)

Yeah, thanks.

> Regards,
> Andrei
> --
> If you can't explain it simply, you don't understand it well enough.
> (Albert Einstein)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEcBAEBCAAGBQJNc1c/AAoJEHNWs3jeoi3pZKwH/0l8e/yBgbW2irj7NLDBTO0Y
> J6FWDMfVl6EcfYeXbpUtP9kmxbhUCyEirt+cr15S1WZzOW+OglLhWOktLO6pNQUx
> iCXVLAeDqa1rMPJh4+hDI1Cgd+nNJ1XFPzaZ+6wKCarS1R8PDV3ODQxUgv91mDrY
> AiL5RQSycsNIZrgWpXEY1Ay34GuVFGRagiJa95XJFduD9OtQjejNcM2JQI18i6mR
> uNqP1tWRlSqZgz/KRxum1YtzCeN/o9lriPotZk1rWc6/LUwRxy5FpOjjNuM9fkTA
> mhY2mW274xsoaTB8P22BS695dPYpvy0co0HrjLqx8BQl8YDfSVM5nXGx+Bm2tyU=
> =HJSE
> -----END PGP SIGNATURE-----
>
>

Reply to:

Prev by Date: Re: [PATCH/RFC] Enable Xen PVHVM installation from ISO
Next by Date: Re: Debian AMD64 Testing error
Previous by thread: Re: [PATCH/RFC] Enable Xen PVHVM installation from ISO
Next by thread: Bug#154751: Rasadnik za ovosja
Index(es):
- Date
- Thread