[Dnsmasq-discuss] Secure download of dnsmasq

Oskar Lundström olgservicemail at gmail.com
Tue Oct 24 06:17:28 BST 2017


Thanks!

I'm new to gpg. How do I know E19135A2 is the fingerprint of your public key, and not someone else's, who just wrote your name and email on the key, and then uploaded it to the Debain keyserver?

Oskar

> 23 okt. 2017 kl. 23:20 skrev Simon Kelley
> 
> On 23/10/17 19:14, Oskar Lundström wrote:
>> Is there a way to download the source code of dnsmasq over HTTPS? Alternatively, a hash fingerprint of the source code, which is supplied over a secure connection (like HTTPS).
> 
> All the tarballs are signed with my public key, fingerprint E19135A2,
> which can be obtained in a trusted manner from, amongst other places,
> the Debian keyserver.
> 
> gpg --keyserver keyring.debian.org --recv-keys E19135A2
> 
> Download the tarball from the server and the signature file,
> 
> ie,
> 
> dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz
> 
> and verify that the signature matches:
> 
> 
> srk at holly:~$ gpg --verify dnsmasq-2.78.tar.gz.asc dnsmasq-2.78.tar.gz
> gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID E19135A2
> gpg: Good signature from "Simon Kelley <simon at thekelleys.org.uk>"
> gpg:                 aka "Simon Kelley <srk at debian.org>"
> 
> 
> Which tells you that the tarball/signature pair could only have been
> created by someone in possession of the private key matching the public
> key you downloaded in the first step. Neither can be altered without
> breaking the verification. Therefore, as long as you trust the Debian
> keyserver to give you the correct public key, the source code cannot
> have been altered.
> 
> 
> 
> Test and release-candidates are signed with a different key. (they are
> signed automatically, so the private key has to exist on the server
> without a protecting passphrase, which exposes it to sever security: I
> don't want to do that to my main key.) That key is downloadable from the
> website, and it has fingerprint 7F7EF234
> 
> I'll sign this message with my main public key, so you can trust the
> fingerprint above, and be sure you got an untampered copy of that key.
> 
> 
> That provides rather more certainty than a dodgy certificate on an https
> website.
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> 




More information about the Dnsmasq-discuss mailing list