Re: [gNewSense-users] gNewSense Repository PGP Key

[Karl Goetz]

On Mon, 14 Dec 2009 00:35:55 +0200 (EET)
Lars Nooden <address@hidden> wrote:

> On Sun, 13 Dec 2009, Jason Self wrote:
> > You do use the public key to verify that the authenticity of the 
> > software being downloaded, but someone else's public key cannot be
> > used to verify the signature done with a different secret key...
> > you need to use the public key that corresponds to the secret key
> > used to do the actual signing.
> 
> IIRC PGP is used to sign the release files (*) and the MD5 checksums
> of the individual packages are kept there and used by APT.  The goals
> are to ensure authenticity and integrity of the packages.  Currently
> generating MD5 collisions (**) may or may not be feasible, but it
> probably could be done in a reasonable amount of time with
> distributed processing.
> 
> One of the other digest algorithms might be safer nowadays, such as 
> SHA256, for a while, if it doesn't slow things down too much.

Multiple hashes are available:

MD5sum: 42e4dfe7785315cef04679e69b124b2d
SHA1: 5816634c05f28993afcab1fa007a99b3dd5117cb
SHA256: 8802935257c8f1d02895fc8c52744086ee3be591a99772f3b22d3cf4179b1e93

http://archive.gnewsense.org/gnewsense/dists/deltah/main/binary-i386/Packages


> > ... if the public key were put on the wiki ...
> 
> The wiki migt be too ephemeral.  Somewhere harder to change might be
> good. There are some keys listed on this page:
>       http://www.gnewsense.org/Main/FixExpiredArchiveKey
> 
> Or the FAQ might be a place for the metad key:
>       http://www.gnewsense.org/index.php?n=FAQ.FAQ

Its not a faq - its never been asked before ;)
kk

> /Lars
> 
> *     http://wiki.debian.org/SecureApt
> 
> **
> http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html
> =

-- 
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group

signature.asc
Description: PGP signature