Re: The "CD signing key" (6294BE9B)
I swear, I'm losing it. Blame it on my age, but I really don't want to
think I'm that old, yet.
On Sun, Mar 6, 2011 at 6:43 PM, Andrei Popescu <email@example.com> wrote:
> [not snipping in case you want to put it back on the list]
Yeah, I did intend to put this on the list, so I can find it again the
next time I forget how signing releases works.
> On Du, 06 mar 11, 08:54:01, Joel Rees wrote:
>> (I really hate embarrassing myself in my first post to a list. But, ...)
> Don't worry, you are not embarrassing yourself. It's very good that you
> ask these questions and the procedure is not quite clear.
>> On Sun, Mar 6, 2011 at 12:57 AM, Andrei Popescu
>> <firstname.lastname@example.org> wrote:
>> > On Sb, 05 mar 11, 23:47:38, Joel Rees wrote:
>> >> I did go to the trouble of pulling the signatures and checksums off of
>> >> three different more-or-less randomly chosen mirrors, to check they
>> >> were the same, but I'd still feel a little more comfortable taking my
>> >> first spin with Debian if there were more evidence that the key that
>> >> the CDs are being signed with is officially claimed by the project.
>> > $ gpg --list-sigs 6294BE9B
>> > pub 4096R/6294BE9B 2011-01-05
>> > uid Debian CD signing key <email@example.com>
>> > sig 3442684E 2011-01-05 Steve McIntyre <firstname.lastname@example.org>
>> > sig A40F862E 2011-01-05 Neil McGovern <email@example.com>
>> > sig 95861109 2011-01-23 Ben Hutchings (DOB: 1977-01-11)
>> > sig 63C7CC90 2011-01-05 Simon McVittie <firstname.lastname@example.org>
>> > sig 3 6294BE9B 2011-01-05 Debian CD signing key <email@example.com>
>> > sub 4096R/11CD9819 2011-01-05
>> > sig 6294BE9B 2011-01-05 Debian CD signing key <firstname.lastname@example.org>
>> Well, sure, if I have those in my gnupg keystore (or whatever that was called).
>> I'm downloading and checking the timestamp/signature on a workstation
>> with Fedora on it. Which means that I had to dig back through the
>> gnupg docs and the debian documentation site to figure out to do the
>> gpg --keyserver keyring.debian.org --recv-keys 6294BE9B
>> and, even then, I get a message that the userid can't be found on each
>> of those userids. Oh.
>> Now that I do a
>> gpg --keyserver keyring.debian.org --recv-keys 3442684E A40F862E
>> C542CD59 63C7CC90 1B3045CE
>> I get the names and e-mail addresses associated with the keys.
>> > Now you need to find a trust-path to one of them. If you have a trusted
>> > Debian system you can install the package debian-keyring, which should
>> > contain at least one (most probably all) of the keys above.
>> Is there an RPM for that? ;-/
>> Actually, an RPM for it might not be a bad idea, for perpetual newbies
>> like me. :-( Except that I wouldn't really want Debian keys mixed with
>> Fedora keys in the Fedora system. (I pulled the Debian keys into a
>> non-admin user on the Fedora system that I never use, except for for
>> going to places I think I can trust for downloading system software.)
>> However, If the CD signing key had shown up in an announcement like
>> the archiving keys did, I'd be sure enough that the key is both from
>> the debian organization and that it is valid. (Out-of-band
>> confirmation.) I trust the sites under debian.org for this more than I
>> trust random keyservers I've never heard of.
> I agree that the CD signing key should be announced as well, but you
> sure are aware that this is not a real trust-path either.
Right. That's why I compare (diff or cmp) the posted checksums from
several randomly chosen mirrors. Reduces the chance of a
man-in-the-middle going unnoticed, and of getting a rogue mirror, etc.
If someone doesn't beat me to it, I plan someday to build a tool that
takes the mirror list, automatically picks several, and pulls the
checksums off each to compare them. Still not ironclad, but adds
another low-to-medium wall for all but the truly motivated attackers.
I've also got to start getting around to the local conferences so I
can start working on the human networking thing.
> You might want to post to debian-cd about this, but do search the
> archives first, in case it was already discussed.
Don't see anything there back to January. Should I cross-post this? 8-p
>> And I trust keyring.debian.org as much for this as I trust the gnu.org
>> keyserver for it.
>> I did, eventually, find the tracking list for the keyring package, but
>> by then I wasn't sure what I was looking at any more, it was late, and
>> I couldn't keep my eyes open. (Dang, I hate getting old.)
>> >> Okay, I did a gpg --recv-keys on the key 6294BE9B from
>> >> keyring.debian.org , and tried gpg --verify on the downloaded netinst
>> >> image, and got the bad signature message. (I think I got the syntax
>> >> right.)
>> (erk. Thought I had.)
>> > Do you mind posting the exact commands used and output?
>> Here's the wrong command I used:
>> gpg --verify SHA512SUMS.sign debian-6.0.0-i386-netinst.iso
>> While I was taking a shower, I realized that the list of checksums was
>> what was signed, not the CD image.
>> gpg --verify SHA512SUMS.sign SHA512SUMS
>> produces the valid signature result. I had previously used openssl to
>> check the checksums, so I knew the checksums matched, just didn't have
>> full confidence that the signing key was correct until I figured out
>> the semantic error in my syntax. I mean, until I realized I was
>> checking the signature against the wrong file.
> At least this part is now clear ;)
> If you can't explain it simply, you don't understand it well enough.
> (Albert Einstein)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> -----END PGP SIGNATURE-----