LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-03-2013, 04:26 AM   #1
stringchopper
LQ Newbie
 
Registered: Feb 2013
Posts: 22

Rep: Reputation: Disabled
[Solved] gpg --verify ... WARNING ?


Hi all,

Slackbuilds.org has a great reputation among slackware users. I don't understand gpg very well, so please explain why I get this on all their packages:

Does this just mean that there is no central authority that has verified the identity of slackbuilds-devel@slackbuilds.org?

And, when I verify a package with the asc (key) file, what am I actually accomplishing? ie, am I only verifying that no one broke into their server and replaced the file with a hacked duplicate? If so, how reliable is this? If someone breaks into the system, can't they register their own key with the same email address at any keyserver and then also upload phony keys (asc files) as well?

Code:
gpg: Signature made Tue 02 Oct 2012 12:29:25 PM EDT using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6

Last edited by stringchopper; 03-07-2013 at 03:48 PM.
 
Old 03-03-2013, 10:46 AM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,481

Rep: Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016
Yes, there is no central authority and the warning is just reminding you that you have no way of knowing whether the public-key you're using is authentic. Keys are often signed by other people's keys, but if you don't have those keys either then that isn't much of an aid.

Checking the Key ID and fingerprint is an important step when dealing with a new key for the first time. It's not absolute proof that you have an authentic key, but its a good first step. Your confidence in the key should grow as you continue to use it as any fake would soon show up when you try to verify new files/signatures that you download.

For what it's worth (from a stranger, posting under a pseudonym on a web forum), the Key ID and fingerprint match those I have. Take from that what you will.
 
Old 03-03-2013, 11:06 PM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
GPG uses a "web of trust" system, not a central authority.

I found this page with a bit of Googling: http://www.spywarewarrior.com/uiuc/g...-com-4.htm#2-6

Here's a few comments from that. First of all, GPG has taken the key-id 9C7BA3B6 and confirms that it is indeed registered to the Slackbuilds team on well-known public key servers. Then, it says that there's no way to confirm that the person who used that key to encrypt the material really was the Slackbuilds team. Theoretically, someone else could possess that same private key.

The way to build trust in a key is to sign it, and to have other people sign it.

Quote:
When you sign and certify someone else's public key, you are making a statement about your confidence that the public key you're signing actually belongs to the person specified in the User ID for that key. By signing someone's public key, you are building the Web of Trust for the keys on your own keyring and contributing to the Web of Trust for the larger community GPG and PGP users. Until you sign someone's public key and change the trust level associated with that key, GPG will warn you that the key is untrusted whenever you use that key to verify signatures or encrypt files and messages.
The GNU Privacy Handbook says more at this URL: http://www.gnupg.org/gph/en/manual.html#AEN335

The web-of-trust model is a flexible solution to the matter of key validation ... quite a bit stronger, I feel, than any system (like SSL) which ultimately boils down to: "Trust me because I told you I'm 'Trustworthy, Inc.' "

Last edited by sundialsvcs; 03-03-2013 at 11:08 PM.
 
Old 03-04-2013, 02:36 AM   #4
stringchopper
LQ Newbie
 
Registered: Feb 2013
Posts: 22

Original Poster
Rep: Reputation: Disabled
Thanks for the help.

So... theoretically, "I" should _not_ sign this key, right? Because "I" don't know slackbuilds personally, and can't verify anything about their identity.
 
Old 03-04-2013, 08:47 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
If you sign the key, your system will accept your signature and quibble no more ("yes, sir"). But the situation you describe still seems od. Slackbuild folks ought to be (already...) using a web-of-trust in association with their builds, and I frankly am puzzled (but also, ignorant) as to "well, why isn't it already trusted?"

It might be worth an e-mail or three. Write to 'em. Check in other forums. I really don't know "non-technically speaking, 'why.'"
 
Old 03-04-2013, 10:41 AM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,526

Rep: Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872Reputation: 872
Quote:
Originally Posted by sundialsvcs View Post
Slackbuild folks ought to be (already...) using a web-of-trust in association with their builds, and I frankly am puzzled (but also, ignorant) as to "well, why isn't it already trusted?"
You have to connect to the web-of-trust, ie decide to trust someone who trusts (someone who trusts someone who trusts...) the Slackbuilder.
 
Old 03-04-2013, 05:53 PM   #7
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
You can always use a "local" signature, which is a signature that is not exported. It does not solve the problem of trust, but when dealing with non critical stuff which you bet is 95% secure, it removes the warning without giving the key a 100% credibility (thus poisoning the web of trust for others).

It seems to me these kind of keys would be well placed in a key-server. Just a wild idea.
 
Old 03-04-2013, 07:03 PM   #8
GazL
Senior Member
 
Registered: May 2008
Posts: 3,481

Rep: Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016Reputation: 1016
The slackbuilds-devel key is on key servers and the slackbuilds.org webiste. It is also signed by a number of well known names in slackware circles, including both Eric and Robby (who's keys are available both on the key servers and their own personal websites). This ought to be more than enough to provide a reasonable amount of confidence in it.

Last edited by GazL; 03-04-2013 at 07:31 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] gpg --verify <filename>: what does it really do? stf92 Slackware 14 07-18-2012 02:02 PM
gpg --verify multiple files Phorize Slackware 8 06-22-2011 08:25 AM
[SOLVED] gpg: WARNING: unsafe permissions on configuration file `/home/b/.gnupg/options' gpg: widda Mandriva 8 09-05-2009 10:37 AM
Can't verify package gpg signatures on Mandrake 10 ayn Mandriva 0 06-09-2004 08:45 AM


All times are GMT -5. The time now is 04:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration