Re: gpg says no user ID

To: debian-user@lists.debian.org
Subject: Re: gpg says no user ID
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Wed, 16 Nov 2022 16:13:15 +0100
Message-id: <[🔎] 30079399627575867775@scdbackup.webframe.org>
In-reply-to: <[🔎] CAH8yC8mzO8L=euTfJw+3_=YkU0cK6z=ZGaU_ovj0bmp=FX2WNA@mail.gmail.com>
References: <[🔎] CAH8yC8mzO8L=euTfJw+3_=YkU0cK6z=ZGaU_ovj0bmp=FX2WNA@mail.gmail.com>

Hi,

the program gpg writes about the Debian CD signing key DA87E80D6294BE9B :
> > > WARNING: This key is not certified with a trusted signature!
> > > There is no indication that the signature belongs to the owner

I wrote:
> > This is a security usability problem. How is a non-expert to know that
> > this warning can be ignored, while others must be tended to?

Jeffrey Walton wrote:
> This is a security usability problem. How is a non-expert to know that
> this warning can be ignored, while others must be tended to?

Yep. Didactically is is quite unfortunate.

It would be interesting to learn how to connect the key to a web of trust
which would suppress this warning everywhere.
But reading
  https://www.gnupg.org/gph/en/manual/x334.html
  "Validating other keys on your public keyring"
  https://gnupg.org/download/integrity_check.html
  (GnuPG's own download integrity check presciptions)
i get the impression that there is no global web of trust to attach to.

> The answer is, the non-expert does not know.

Nearly nobody can judge how safe a gpg signature is. The algorithms are
complicated and the interface towards human users invites for mistakes
and misunderstandings.

> >   https://www.debian.org/CD/verify

> The page does not provide a prescriptive recipe on how to do what it
> says to do.

In general one cannot give such a receipe without knowing the system
on which the verification shall happen.
But i agree that a tangible example for an existing Debian old-stable
system could help even those who use something else.

> >   Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
> >   echo "DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B" | sed -e 's/ //g'

> Something needs to be fixed here.

I meanwhile get the impression that this is not needed in real life, because
my local gpg states the fingerprint with the same blanks as on the Debian web
page:

  Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

So i assume that Thomas George's reported line

  ...Primary key fingerprint: DF9B9C49EAA9298432589D76DA87E80D6294BE9B

fell victim to editing or mail client.

(But we see how difficult it is to give a general description of the
procedure.)

> One last thought... https://www.debian.org/CD/verify should probably
> be moved to the wiki.

That would probably not be a good idea.
The page offers the official keys for download and states their official key
fingerprints. Such a page should be editable only by the most authorized
people.

But www.debian.org/CD/verify could point to a public wiki where users
show their favorite ways to do the verification.
Such a wiki would of course need to be constantly observed by users who
dispute and remove any attempt of deception.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: gpg says no user ID
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

References:
- Re: gpg says no user ID
  - From: Jeffrey Walton <noloader@gmail.com>

Prev by Date: Re: gpg says no user ID
Next by Date: Re: gpg says no user ID
Previous by thread: Re: gpg says no user ID
Next by thread: Re: gpg says no user ID
Index(es):
- Date
- Thread