LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 08-26-2012, 11:50 AM   #1
aaarnt
LQ Newbie
 
Registered: Nov 2008
Location: Brazil / RS / Porto Alegre
Distribution: Slackware
Posts: 28

Rep: Reputation: 16
Slackware 14.0 GPG-KEY


Im happy we are almost there for a new version, but...

Wouldn't it be better if we had a renewed/new GPG-KEY to sign Slackware 14.0 packages?

** The current GPG-KEY is from 2003 and will expire on 21st december 2012 **

I know that many people thinks the world is gonna end around this time, but... I'm pretty sure Slackware is going to survive this impending doom, so...

Last edited by aaarnt; 08-27-2012 at 09:52 PM.
 
Old 08-26-2012, 12:35 PM   #2
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Of course Slackware will survive the apocalypse, as will all slackers. Bob will protect us, and we will party on.
 
2 members found this post helpful.
Old 08-26-2012, 12:40 PM   #3
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,270

Rep: Reputation: Disabled
Quote:
Originally Posted by aaarnt View Post
Im happy we are almost there for a new version, but...

Wouldn't it be nicer if we had a renewed/new GPG-KEY to sign Slackware 14.0 packages?

** The current GPG-KEY is from 2003 and will expire at 21st december 2012 **

I know that many people thinks the world is gonna end around this time, but... I'm pretty sure Slackware is going to survive this impending doom, so...
Somewhat related to that end-of-the-world thing... Slackware 14 will have an easter egg which only becomes visible if you install Slackware 14 on 21 december, 2012...

Eric
 
1 members found this post helpful.
Old 08-26-2012, 12:48 PM   #4
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,038
Blog Entries: 52

Rep: Reputation: Disabled
Quote:
Originally Posted by Alien Bob View Post
Somewhat related to that end-of-the-world thing... Slackware 14 will have an easter egg which only becomes visible if you install Slackware 14 on 21 december, 2012...

Eric
What? Sends a signal via the intertubeswebnet thingy to detonate the entire world's nuclear arsenal? That will be worth seeing. Can't wait.
 
Old 08-26-2012, 01:07 PM   #5
yenn
Member
 
Registered: Jan 2011
Location: Czech Republic
Distribution: Slackware, Gentoo
Posts: 153

Rep: Reputation: 21
Quote:
Originally Posted by Alien Bob View Post
Somewhat related to that end-of-the-world thing... Slackware 14 will have an easter egg which only becomes visible if you install Slackware 14 on 21 december, 2012...

Eric
Updated my journal, I'll definitely try that.

It reminds me one fortune cookie: "The world will end in 5 minutes. Please log out." It would be nice to hack fortunes to schedule that one for December 21
 
Old 08-27-2012, 08:14 AM   #6
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I have to remember to try it.
 
Old 08-28-2012, 04:53 AM   #7
zerouno
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 269

Rep: Reputation: 82
from man slackpkg
Quote:
If you need to update Slackware's GPG key, run

# slackpkg update gpg

The GPG key doesn't change. This should be a "one time" command - run it once and forget it...
So, is that true? or in december we must re-run slackpkg update gpg?
 
Old 08-28-2012, 07:41 PM   #8
aaarnt
LQ Newbie
 
Registered: Nov 2008
Location: Brazil / RS / Porto Alegre
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by zerouno View Post
from man slackpkg


So, is that true? or in december we must re-run slackpkg update gpg?
Zerouno,
All digital certificates expire after a certain date. This is because the technology to pose security risks to them can improve a lot between "computer generations".
The current GPG-KEY used by Slackware was issued on february, 2003. That one will expire on 21 december this year. This can be verified using the following command in a bash prompt: gpg --list-keys.

I made a "time change" test in a virtual machine with slack 13.37 and tried to verify a patch signature. It was ok, with return code
0 but also displayed a note saying "This key has expired!".

The question is: will Slackware-14 release a new GPG-KEY, so that all packages are signed with that "future-proof" certificate or will we stick with the current one?
Sticking with a 9 year old key a few months from expiration is at least strange for such a traditional secure distro, IMHO.

But I'm pretty sure Pat will answer us very soon :-)
 
Old 08-29-2012, 03:12 AM   #9
zerouno
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 269

Rep: Reputation: 82
The patches released in 2013 for slackware 13.37, which gpg-key will use?
 
Old 08-29-2012, 09:11 AM   #10
aaarnt
LQ Newbie
 
Registered: Nov 2008
Location: Brazil / RS / Porto Alegre
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by zerouno View Post
The patches released in 2013 for slackware 13.37, which gpg-key will use?
Good question!

If the GPG-KEY remains the same, after december 21st, it'll be impossible to sign anything with it. But it will be still possible to verify the old signatures.
I'm not a gpg especialist, but I'm sure there's a decent solution to that problem, maybe using subkeys.
 
Old 08-29-2012, 01:15 PM   #11
zerouno
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 269

Rep: Reputation: 82
Quote:
Originally Posted by aaarnt View Post
but I'm sure there's a decent solution to that problem.
re-sign all old-packages with a new gpg-key :-)




Slackware 8.1 packages are marked in the year 2002. The key presents on the repository is marked 2003.
Which key was used to sign, and when?

Some patch are marked in 2002 and some patch 2012. Are they signed with the same key?

Fortunately slackware 8.1 is End-Of-Life, so it will not soffer the Maya-bug :-)



Edit:
On the original cd of slackware 8.1 (that is downloadable) there is no gpg-key, and packages was not signed.
This means that the original packages was signed in future.

Well. This means that the 13.37 and all not EOL slackware will must be re-signed with a new key.

Last edited by zerouno; 08-29-2012 at 01:28 PM.
 
Old 08-29-2012, 02:52 PM   #12
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,270

Rep: Reputation: Disabled
If a GPG key's expiry date is updated, then files which were signed with the old version of the GPG key will still validate OK.
I'll let you in on a secret:
Code:
$ gpg --refresh-keys
$ gpg --list-keys "Slackware Linux Project"
pub   1024D/40102233 2003-02-26 [expires: 2038-01-19]
uid                  Slackware Linux Project <security@slackware.com>
sub   1024g/4E523569 2003-02-26 [expires: 2038-01-19]
$ gpg --verify ~ftp/pub/Linux/Slackware/slackware-13.37/CHECKSUMS.md5.asc 
gpg: Signature made Mon 25 Apr 2011 04:56:55 PM CEST using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
Eric
 
3 members found this post helpful.
Old 08-31-2012, 09:14 PM   #13
aaarnt
LQ Newbie
 
Registered: Nov 2008
Location: Brazil / RS / Porto Alegre
Distribution: Slackware
Posts: 28

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by Alien Bob View Post
If a GPG key's expiry date is updated, then files which were signed with the old version of the GPG key will still validate OK.
I'll let you in on a secret:
Code:
$ gpg --refresh-keys
$ gpg --list-keys "Slackware Linux Project"
pub   1024D/40102233 2003-02-26 [expires: 2038-01-19]
uid                  Slackware Linux Project <security@slackware.com>
sub   1024g/4E523569 2003-02-26 [expires: 2038-01-19]
$ gpg --verify ~ftp/pub/Linux/Slackware/slackware-13.37/CHECKSUMS.md5.asc 
gpg: Signature made Mon 25 Apr 2011 04:56:55 PM CEST using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
Eric
Thank you Pat and Eric!
Ive just noticed Slackware 14.0 RC4 included the updated GPG-KEY.

So...
Maya BUG: Bye, bye!
Year-2038 bug: Well squash you at the right moment ;-D
 
Old 12-21-2012, 07:16 AM   #14
jaycee4
Member
 
Registered: Aug 2009
Posts: 42

Rep: Reputation: 7
Quote:
Originally Posted by Alien Bob View Post
Somewhat related to that end-of-the-world thing... Slackware 14 will have an easter egg which only becomes visible if you install Slackware 14 on 21 december, 2012...

Eric
Aak! I don't have access to my laptop today to reinstall Slackware 14.0! I won't see the Easter Egg! 'Tis the end of the world! :'(
I'm going to hazard a guess and say that the Easter Egg is a Mayan themed Lilo boot screen... even though I dreamt (can you believe it!) a while ago that the first boot would flash ASCII keys (yes, the ones that open doors) in place of the ASCII... things that appear during first boot. But I'm probably incorrect on both fronts. Has anyone seen the Easter Egg?
 
Old 12-21-2012, 08:09 AM   #15
zerouno
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 269

Rep: Reputation: 82
Quote:
I'm going to hazard a guess and say that the Easter Egg is a Mayan themed Lilo boot screen...
mmm..

May be...
But may NOT


tomorrow change date to your computer and reinstall
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Have my GPG key in another PC? hakermania Linux - Security 6 12-06-2010 03:37 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 03:20 AM
can see gpg key in apt-key, still can't update Dan63043 Ubuntu 2 09-25-2006 11:35 AM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 06:00 PM


All times are GMT -5. The time now is 07:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration