Category Archives: pgp

Scripting with gpg

I have a build script that may, as a matter of convenience, download and build a third-party software package.  Before the build script goes into any release, I want to tighten up its security to ensure it verifies the PGP signature on the package.

OK, I can do that in a Makefile using two separate targets: the tarball, and the verified tarball.  I thought I could make the latter a link to the former, using something like:

gpg –verify $(TARBALL).asc $(TARBALL) \
&& ln $(TARBALL) $(TARBALL-VERIFIED) \
|| (echo “### Please verify $(TARBALL) ###” && exit 1)

However, this is failing me, because gpg is too trusting:

$ gpg –verify nginx-1.7.3.tar.gz.asc nginx-1.7.3.tar.gz
gpg: Signature made Tue 8 Jul 14:22:56 2014 BST using RSA key ID A1C052F8
gpg: Good signature from “Maxim Dounin <email.suppressed>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8

$ echo $?
0

(OK, now you know the identity of $(TARBALL))

It has not verified that the signature is trusted, but it still thinks all’s well.  Ouch!  I can verify the signature manually (if rather weakly) but I’d rather not try to script that.  Nor do I want to concern myself with issues that might change with each new nginx release, or with changes of pgp keys.

A bit of googling finds this message, from which it appears this was a known bug but fixed in GnuPG version 1.4.2.1 back in 2006 (and yes, my gpg version is more recent than that)!  Was that a non-fix that only tells you if it’s a BAD signature or no PGP data at all?  That would be no more useful than an MD5 or SHA checksum!

OK folks, what am I missing?  What do you use to script the verification of a package?

Keysigning

I’ve got around to the most tedious post-FOSDEM chore: keysigning.  Last night I signed 89 keys verified at the keysigning, and this morning I imported a bunch of signatures people have mailed me (though I expect the latter may continue arriving for a while).  All great for building a web of trust, especially in terms of bootstrapping the new 4096-bit key.

The FOSDEM keysigning event itself was … different.  It took place outdoors, with a gusting wind that made wielding a wodge of paper quite challenging, let alone writing on it, all the while with an extra hand required to exchange identity documents with everyone.  At least it didn’t rain!

This year’s FOSDEM weekend was quite mild for early February – in contrast to the past two years.  I was fine in just my middling-weight fleece and good layer of natural organic insulation, but then I’m always fine when others are shivering.  It was evidently a bit more of an ordeal for some from warmer climes, leaving one with a hint of a moral dilemma.  Surely as a gentleman I should go to the aid of the (very attractive) spanish girl who was visibly suffering from cold/wind?  But alas, that defeats the purpose of being out there in the first place, not to mention being open to …. interpretation.  Maybe I’ll take Don Quixote to next year’s FOSDEM, to be mentally prepared for chivalrous folly 😉

If anyone thinks I should have signed their key but haven’t, feel free to drop me a line.  If it’s because I didn’t in fact make a note of having verified your identity, then sorry, no deal.  But it could also be that I overlooked someone when reviewing my notes last night, in which case I’ll be happy to re-check the notes for the tick against your key.

FOSDEM, and new PGP key

I’ve booked my travel and hotel for FOSDEM.  Arriving Friday early evening, leaving Monday after lunch, so I have a few hours beyond the core event.  Hope to meet some of my readers in person next weekend in Brussels!

In preparation for FOSDEM, I uploaded my PGP key to FOSDEM’s server for the keysigning – assuming I make it this year!  And in doing so, I found a spare round tuit to generate a new 4096-bit key in anticipation of a time when Moore’s law overtakes my existing 1024-bit key.  My new key has number B87F79A9 and fingerprint
3CE3 BAC2 EB7B BC62 4D1D  22D8 F3B9 D88C B87F 79A9
and should by now be propagating its way around the keyservers, along with my signature with the old key.

This year I’ll be actively looking at the jobs desk, for anyone whose needs might fit my expertise and aspirations.

Keysigning

We had a very small keysigning last Wednesday at ApacheCon (thanks Jean-Frederic Clere for organising it). I exchanged identity details with about 20 others, many of whom I already know.

Today I got around to digging up my list of details, and signing 11 keys I hadn’t already signed from some earlier event. If you were there and I got your details, my signature on your key should now appear on the keyservers.

Keysigning

As ever at ApacheCon, Sander Temme organised a PGP keysigning party. This year (unlike last) I got my arse into gear in time to make it. There are some new signatures on my key. And I’ve just been through signing keys of people whose identities I confirmed, and who I hadn’t already signed. A few of them were surprising: people whose keys I’d have guessed I’d already signed. And one who needed a new key signing, as the one I’d signed previously was on a laptop that got stolen, so he revoked it.

The keys I’ve signed, I’ve uploaded to the keyservers. Generating ascii-armoured signatures and mailing them to people is more faff than I want to engage in just now