LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2011, 02:33 PM   #1
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Blog Entries: 3

Rep: Reputation: 40
verifying keys with GPG


hi,

well i've a key (the linux archive key to be exact) which i'd like to verify to be 100% sure that it's the real one , before i can trust it to verify signatures and stuff.

how can i do that?

also once i'm done with that , how can i set this key as an "ultimately trusted key" (to borrow pgp terminology) ?

cheers
 
Old 06-28-2011, 04:37 PM   #2
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 302

Rep: Reputation: 282Reputation: 282Reputation: 282
The only way you can be 100% sure is if you meet face-to-face with someone from the Linux Kernel Archives, or speak to them over a secure phone line to verify the key or its fingerprint, or something of that nature. Since that's not really possible, it's "good enough" (in most scenarios) to get the public key via HTTPS over a trustworthy Internet connection and import it into your keyring. The LKA keys get revoked from time to time, so keep an eye on their web page for alerts of that kind.

I'm not sure why you want to ultimately trust the LKA key - the only reason to do this is if the owner of the key signs keys for others, and you want to acknowledge that you implicitly trust all other keys signed by the owner. As far as I'm aware, LKA doesn't sign keys for anyone else so this both unneccesary and dangerous (and besides, the only person you should ultimately trust in PGP is yourself - you should have at most complete trust in others). If you just want to verify the signatures of files you download from the LKA servers, it's sufficient to import their public key into your keyring and verify the signatures with "gpg --verify".

Last edited by CTM; 06-28-2011 at 04:58 PM.
 
Old 06-28-2011, 08:39 PM   #3
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453

Original Poster
Blog Entries: 3

Rep: Reputation: 40
hmmm alright,

first of this is meant as an exercise (i.e for educational purposes) , secondly i'm trying to learn more about the web of trust.

in particular this is a response to this:
Quote:
Unless you have taken explicit steps to build a trust path to the Linux Kernel Archives Verification Key, you should expect to see a warning message akin to: .....
so how can i take "explicit steps" to build a trust path to the archives ??

btw , it's too bad that the page doesn't provide convenient links to download the public key (and the revocations certificates) instead of having to copy/paste them into a file..

i just discovered that the key has a certain number of signatures tied to it , what are these ?
the site also mentions that more signatures will be included , i'm not quite sure i understand what is supposed to mean ....hmmm

cheers

P.S i forgot to mention that yesterday when i downloaded the kernel source there was a problem with the ssl certificate which is part responsible for me being so paranoid today.

Last edited by entz; 06-28-2011 at 09:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 10:37 AM
GPG Keys matsko Linux - General 4 12-23-2005 08:53 PM
gpg keys pr0xibus Fedora 1 10-04-2005 11:45 AM
Using GPG KEYS 0n Install CD browser Fedora 1 01-23-2005 06:06 AM
verifying srpms vs rpms w/ gpg sig ergo_sum Linux - Newbie 0 02-06-2004 10:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration