LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-15-2014, 11:17 PM   #1
mtdew3q
Member
 
Registered: Mar 2006
Location: upstate NY
Distribution: fedora XFCE 23
Posts: 334

Rep: Reputation: 17
question about keys for repositories


Hi-

I am practicing retrieving a key from a keyserver. I went to this ppa https://launchpad.net/~mozillateam/+archive/ppa and retreived the key from the keyserver with the command: gpg --recv-keys --keyserver keyserver.ubuntu.com keyID. (The keyserver in this case was Ubuntu key server)

Next, after verifying the keys fingerprint is the same as what is listed on the project page website, do I sign this key?
"Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key's fingerprint with the owner before signing the key."
I can't really check with the owner because it is just listed on a website.
When I checked, no one really signed it. People who have signed the key under seahorse is blank.

When I look at http://regina.sourceforge.net/instal...u-precise.html it seems that they don't list a fingerprint on the site for the key. Is that right? Should there be a fingerprint listed next to the link for the "save as" hyperlink regina.txt file.

Are you condident with the information provided by either site to trust the key and do you bother signing it? What other types of verification besides a fingerprint would you like to see? Is it okay just to trust the website and fingerprint? If they had clearsigned it, would an sha1sum be on the site, and should that be listed with the fingerprint too?

thanks for any help you can provide,
mtdew3q
 
Old 06-15-2014, 11:46 PM   #2
mtdew3q
Member
 
Registered: Mar 2006
Location: upstate NY
Distribution: fedora XFCE 23
Posts: 334

Original Poster
Rep: Reputation: 17
Hi-

For quick follow-up, it looks like that verifying a signature in a doc or detached signature helps confidence levels too. Since neither of these were docs, I don't think you have to use gpg --verify because it is just a key that I downloaded.

thanks
 
Old 06-16-2014, 12:18 AM   #3
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 6,829
Blog Entries: 7

Rep: Reputation: Disabled
Hi:

You should always verify the signature of a package before you install it. These signatures ensure that the packages you install are what was produced by the Fedora Project and have not been altered (accidentally or maliciously) by any mirror or website that is providing the packages.

I haven't ran Ubuntu for some time now but I know that with Fedora;
by default, yum and the graphical update tools will verify these signatures and refuse to install any packages that are not signed or have bad signatures.

Quote:
Is it okay just to trust the website and fingerprint?
If you are not able to tell that the code you have received is from whom your getting it from and that it hasn't been manipulated in any way by a third party, than I'd say,no.

I looked for a fingerprint on the page you linked and I didn't see a fingerprint for the key.

The primary threat to the security of a fingerprint is a preimage attack, where an attacker constructs a key pair whose public key hashes to a fingerprint which matches the victim's fingerprint. The attacker could then present his public key in place of the victim's public key to masquerade as the victim.
http://en.wikipedia.org/wiki/Public_key_fingerprint

***This page provides the SHA1 (what you would want)***
http://packages.ubuntu.com/precise/a...-rexx/download

https://h20392.www2.hp.com/portal/sw...nuxCodeSigning
https://www.gnupg.org/download/integrity_check.html
 
1 members found this post helpful.
Old 06-16-2014, 01:54 AM   #4
mtdew3q
Member
 
Registered: Mar 2006
Location: upstate NY
Distribution: fedora XFCE 23
Posts: 334

Original Poster
Rep: Reputation: 17
Hi:

Thanks for the cool links. I practiced by visiting the links and doing some more reading.
I verified downloads at the gnupg.org for practice.

Have a cool work week.

mtdew3q
 
Old 06-16-2014, 10:40 PM   #5
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 6,829
Blog Entries: 7

Rep: Reputation: Disabled
Quote:
Originally Posted by mtdew3q View Post
Hi:

Thanks for the cool links. I practiced by visiting the links and doing some more reading.
I verified downloads at the gnupg.org for practice.

Have a cool work week.

mtdew3q
Your Welcome-

You have a good week too:-
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Question about Slackbuilds repositories Totoro-kun Slackware 2 05-22-2011 03:54 PM
Does Arch use public keys to install software from repositories? Mr. Alex Arch 1 08-07-2010 02:42 PM
Question on using crossover and question on finding repositories tferero Linux - Newbie 2 09-24-2007 03:41 AM
How do I find gpg keys for certain repositories? Rick069 Debian 4 04-08-2007 07:33 PM
Question about Repositories windisch Linux - Software 6 08-19-2005 01:45 PM


All times are GMT -5. The time now is 06:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration