W dniu 29.02.2016 o 11:52, Carlos E. R. pisze:
On 2016-02-29 10:00, Łukasz 'Cyber Killer' Korpalski wrote:
But the checksums are pgp signed (inline pgp signature inside the sha256 ckecksum file), so as long as the user has the pubkey used for this signature and uses it to verify the checksums, everything is fine. The pubkey long fingerprint is noted on the main iso download page, not on the mirrors pages. But the PGP signatures, to be secure, need a web of trust. A separate and trusted method to download and verify the keys themselves, and this we don't have.
Probably a certified page with all keys used by the project for signing downloads and builds.
Certified by who? Some commercial CA? IMHO these are less trustable than any randomly picked PGP key. There is no running from it - at some point you need to trust someone.
At this point I trust the openSUSE Project Signing Key 0x3DBDC284 to be And 32bit Keyids are not enough anymore. See also here for reference: https://evil32.com/ It takes 4 seconds to generate a colliding 32bit key id on a GPU (using scallion https://github.com/lachesis/scallion). Key servers do
Hi, On 02/29/2016 12:32 PM, Łukasz 'Cyber Killer' Korpalski wrote: little verification of uploaded keys and
allow keys with colliding 32bit ids. Further, GPG uses 32bit key ids throughout its interface and does not warn you when an operation might apply to multiple keys.