Copy Current GPG Installation to Another Server
Peter Lebbing
peter at digitalbrains.com
Tue Mar 17 22:19:07 CET 2015
On 17/03/15 22:04, Doug Barton wrote:
> Assuming you get the package, the signature, and the fingerprint from the same
> *.gnupg.org resources, what does that buy you?
Assuming they're all protected by https, nothing.
What does verification of that signature buy you though? That your download
wasn't corrupted?
> If you've somehow downloaded the wrong key by short Id, the signature won't
> validate. If you have the right key, it will. That's enough to tell the user
> that the contents of the package are unaltered.
If I were to place something nefarious inside a GnuPG download, I'd sign the
result with a key I created with the short key ID 4F25E3B6. That way, your
--recv-key command will retrieve both my key and Werners, and the signature will
happily validate. Creating a short key ID collision is peanuts and can be done
with off-the-shelf software on a laptop.
This rakes in not just the people who don't check the signature, but also all
those who just verify the short key ID. Since it's hardly any effort, I'd do it,
even though it probably only gains me a few percent coverage.
> More extensive checking would be great, but would require a lot of documentation
> to teach the users how to do it ... are you volunteering to write it? :)
No, but I'm also not telling people they can verify using the short key ID. No
guidance is better than wrong guidance, IMHO. No offence meant, I appreciate you
helping him out. I'm just trying to give some constructive criticism.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list