Public Key is not available


#1

With V.5.3 comes a signing key generated with the key of gaaned92@gmail.com. In order to use this key, a possibility to download this key and a possibility for verification must be provided. Otherwise the key is useless, only for use as checksum test.
Regards
Andreas


(Pat David) #2

That’s an… interesting… username.

@gaaned92 might be around if you need something. Not sure what you wanted exactly.


#3

You are right. So follow the procedure described in verify-signature.txt.


#4

You are right.
I suggest we just call him Uruk.

/Claes


#5

Hey ladies,
nickname Uruk would be all right. The silly name evoked from my method of generating an account with the help of my PW-Manager. I let it generate my PW but the user name as well, because sometimes it is suitable to have a random user name as well.
Now another explanation of my/your problem: The latest version of RT is signed by using a signature file that was generated with the use of the private key of ganaad92. That is very good idea in principle, because now it would be possible to verify the origin and the integrity of the file. In this case it is only possible to verify integrity because it is not possible to verify the public key of gaaned92. In order to do that the fingerprint must be compared via a second secure channel. Key servers are not suitable for that purpose, better is keybase, better a personal domain that provides fingerprint and/or public key. Then a good verification to gain maximum trust would be the exchange of encrypted e-mails. For that purpose I am going to send it to the known address of gaaned92 an wait for an encrypted answer. A telephone call or a fax that provides the finger print is also acceptable.
After that it is possible to prove that ganaad92 is the signer of the latest RT.

Uruk


#6

BTW what verify-signature.txt- file. Where can it be found.


#7

At https://drive.google.com/open?id=0B2q9OrgyDEfPS2FpdDAtMVI1RG8

1- As the “stable” releases are accessible through the RT download site, I surely should have deleted this signature, as it is and will be not documented in RT doc.

2- I am not a security expert and my aim was just to go a step further than providing a hash code to give confidence in the origin of installer. I don’t think those installers are a valuable target for hackers.

3- I want to keep the things as simple as possible for me with no extra task. But I am open to suggestions as long as it remains simple.

And you are the first to ask questions about that.


(Andrew) #8

Yes, as a non-expert in linux, I realise I have to roll my sleeves up a bit sometimes, but I personally wouldn’t want new layers of stuff to deal with around certificates and security.

If a new person came along and contributed code, would it be somehow checked to see if it was doing anything naughty, e.g. contacting IP addresses?


#9

1- Don’t delete the signature, it is a very good start and You did everything correctly to that point.
2- You are wrong: installers are valuable targets for hackers as seen with the popular tool cleaner from Piriform. Somehow malicious code was placed into the installer placed on their web site.
3- No extra task with every new RT-Version. Just once You have to provide the fingerprint of Your key onto a different web site and link this (or give a hint to find it). Another option is, to create an account on keybase.io and place public key and fingerprint there. It is not sufficient to gain the maximum trust level, but enough that the verification process can be fulfilled satisfactory.
I encourage you to take the last step and make the world safer.
In the e-mail that You received from me, You can see how I managed it. And in case You answer encrypted Your key is proved to me and mine is proved to You.
BTW RT is great!!


(Pat David) #10

This is a good illustration of why so much encryption and extra security is often overlooked by users due to the complexity of setting it up and keeping things safe.

In this case @URUkL9tDXQLW5N8yg5F5 simply wants to verify that the signing key does, in fact, belong to you, @gaaned92, and he’s looking for independent verification (your email exchange is one - meeting face to face would be better for a key exchange).

I can second keybase.io as an option to simplify this a little bit, as it allows others to find you and see if you’ve verified yourself against many services and websites. For example, here is my profile on keybase: https://keybase.io/patdavid. Where you’ll find my public key, along with my other verified accounts:

Really, it’s not simple and often confusing for casual users to setup and implement. :frowning:
I do like keybase.io though, as it takes some of the complexity out, and you can even encrypt a message that only I can read right on the site.


#11

@URUkL9tDXQLW5N8yg5F5 @patdavid
Thank you both of you for all these informations. URUk request is legitimate as I provided a signature.
I was aware that I should provide the public key so I wrote the above mentioned verify-signature.txt and believed it was sufficient.
I cannot answer immediately as I am very busy to build a travel slideshow for friends.
As soon as it is done (next week) I will study your posts and answer


#12

@URUkL9tDXQLW5N8yg5F5 @patdavid

I opened an account on keybase: https://keybase.io/gaaned92
The github account is verified, but I cannot understand how to get the pixls and google drive accounts verified.

I decrypted the mail from Andreas.

…
Subject: Key verification

–eiNaZJEg7qBi3UHtPxT6dLdYhzX1vVrqK
Content-Type: multipart/mixed;
boundary="------------397050602F7F9C3F0CDAAFD0"
Content-Language: de-DE-1901

This is a multi-part message in MIME format.
--------------397050602F7F9C3F0CDAAFD0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
…

But I cannot understand what to do with it.

Surely I will try to put the buids in the keybase public folder.


(Pat David) #13

You won’t be able to verify against pixls.us as they normally have you place a verification in a file here: yoursite.com/keybase.txt, which is already being used by me.

The file in your keybase public folder should be fine too, as we can see that it is signed by your key on the site.


(Pat David) #14

Also, a small side note if you’re interested.

You can sign a binary file with your key so that anyone can verify that it was you who signed it. Assuming you have gpg installed, and the file might be a-file-to-sign.zip:

$ gpg --armor --detach-sig a-file-to-sign.zip

This will output a file called a-file-to-sign.zip.asc that can be distributed alongside your binary file.

Then we can verify the signature by:

$ gpg --verify a-file-to-sign.zip.asc

#15

@patdavid

  1. account proving

Ah! I don’t want to usurp your site :roll_eyes:
But it would seem normal to be able to prove that an account (not a site) is yours.

  1. keybase public folder
    very easy to use. I surely switch to that after test.

  2. Signature
    Inside the zip file there is already a xxx.exe.asc file ti sign the corresponding exe file.

What is done behind the scene by keybase is still mysterious for me but it is very easy to set up and use.
Thanks