[Dnsmasq-discuss] Secure download of dnsmasq

Kevin Lyda kevin at ie.suberic.net
Tue Oct 24 08:28:46 BST 2017


https://en.wikipedia.org/wiki/Web_of_trust

On Tue, Oct 24, 2017 at 6:32 AM Oskar Lundström <olgservicemail at gmail.com>
wrote:

> Thanks!
>
> I'm new to gpg. How do I know E19135A2 is the fingerprint of your public
> key, and not someone else's, who just wrote your name and email on the key,
> and then uploaded it to the Debain keyserver?
>
> Oskar
>
> > 23 okt. 2017 kl. 23:20 skrev Simon Kelley
> >
> > On 23/10/17 19:14, Oskar Lundström wrote:
> >> Is there a way to download the source code of dnsmasq over HTTPS?
> Alternatively, a hash fingerprint of the source code, which is supplied
> over a secure connection (like HTTPS).
> >
> > All the tarballs are signed with my public key, fingerprint E19135A2,
> > which can be obtained in a trusted manner from, amongst other places,
> > the Debian keyserver.
> >
> > gpg --keyserver keyring.debian.org --recv-keys E19135A2
> >
> > Download the tarball from the server and the signature file,
> >
> > ie,
> >
> > dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz
> >
> > and verify that the signature matches:
> >
> >
> > srk at holly:~$ gpg --verify dnsmasq-2.78.tar.gz.asc dnsmasq-2.78.tar.gz
> > gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID
> E19135A2
> > gpg: Good signature from "Simon Kelley <simon at thekelleys.org.uk>"
> > gpg:                 aka "Simon Kelley <srk at debian.org>"
> >
> >
> > Which tells you that the tarball/signature pair could only have been
> > created by someone in possession of the private key matching the public
> > key you downloaded in the first step. Neither can be altered without
> > breaking the verification. Therefore, as long as you trust the Debian
> > keyserver to give you the correct public key, the source code cannot
> > have been altered.
> >
> >
> >
> > Test and release-candidates are signed with a different key. (they are
> > signed automatically, so the private key has to exist on the server
> > without a protecting passphrase, which exposes it to sever security: I
> > don't want to do that to my main key.) That key is downloadable from the
> > website, and it has fingerprint 7F7EF234
> >
> > I'll sign this message with my main public key, so you can trust the
> > fingerprint above, and be sure you got an untampered copy of that key.
> >
> >
> > That provides rather more certainty than a dodgy certificate on an https
> > website.
> >
> > Cheers,
> >
> > Simon.
> >
> >
> >
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20171024/a55b4257/attachment.html>


More information about the Dnsmasq-discuss mailing list