Hi-

I am practicing retrieving a key from a keyserver. I went to this ppa https://launchpad.net/~mozillateam/+archive/ppa and retreived the key from the keyserver with the command: gpg --recv-keys --keyserver keyserver.ubuntu.com keyID. (The keyserver in this case was Ubuntu key server)

Next, after verifying the keys fingerprint is the same as what is listed on the project page website, do I sign this key?
"Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key."
I can't really check with the owner because it is just listed on a website.
When I checked, no one really signed it. People who have signed the key under seahorse is blank.

When I look at http://regina.sourceforge.net/instal...u-precise.html it seems that they don't list a fingerprint on the site for the key. Is that right? Should there be a fingerprint listed next to the link for the "save as" hyperlink regina.txt file.

Are you condident with the information provided by either site to trust the key and do you bother signing it? What other types of verification besides a fingerprint would you like to see? Is it okay just to trust the website and fingerprint? If they had clearsigned it, would an sha1sum be on the site, and should that be listed with the fingerprint too?

thanks for any help you can provide,
mtdew3q

Hi-

For quick follow-up, it looks like that verifying a signature in a doc or detached signature helps confidence levels too. Since neither of these were docs, I don't think you have to use gpg --verify because it is just a key that I downloaded.

thanks

Hi:

You should always verify the signature of a package before you install it. These signatures ensure that the packages you install are what was produced by the Fedora Project and have not been altered (accidentally or maliciously) by any mirror or website that is providing the packages.

I haven't ran Ubuntu for some time now but I know that with Fedora;
by default, yum and the graphical update tools will verify these signatures and refuse to install any packages that are not signed or have bad signatures.

If you are not able to tell that the code you have received is from whom your getting it from and that it hasn't been manipulated in any way by a third party, than I'd say,no.

I looked for a fingerprint on the page you linked and I didn't see a fingerprint for the key.

The primary threat to the security of a fingerprint is a preimage attack, where an attacker constructs a key pair whose public key hashes to a fingerprint which matches the victim's fingerprint. The attacker could then present his public key in place of the victim's public key to masquerade as the victim.
http://en.wikipedia.org/wiki/Public_key_fingerprint

***This page provides the SHA1 (what you would want)***
http://packages.ubuntu.com/precise/a...-rexx/download

https://h20392.www2.hp.com/portal/sw...nuxCodeSigning
https://www.gnupg.org/download/integrity_check.html

1 members found this post helpful.

Hi:

Thanks for the cool links. I practiced by visiting the links and doing some more reading.
I verified downloads at the gnupg.org for practice.

Have a cool work week.

mtdew3q

Your Welcome-

You have a good week too:-