[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: How to obtain GPG Signature for Busybox downloads?
From:       Dominique Martinet <asmadeus () codewreck ! org>
Date:       2023-02-14 0:29:54
Message-ID: Y+rWAs6Edq0etM+7 () codewreck ! org
[Download RAW message or body]

Eric Duncan wrote on Mon, Feb 13, 2023 at 07:10:50PM -0500:
> I am trying to verify busybox downloads with the signature file.
> 
> https://www.busybox.net/downloads/busybox-1.36.0.tar.bz2
> https://www.busybox.net/downloads/busybox-1.36.0.tar.bz2.sig
> 
> $ gpg --verify busybox-1.36.0.tar.bz2.sig
> gpg: assuming signed data in 'busybox-1.36.0.tar.bz2'
> gpg: Signature made Tue Jan  3 14:30:09 2023 UTC
> gpg:                using DSA key C9E9416F76E610DBD09D040F47B70C55ACC9965B
> gpg:                issuer "vda.linux@googlemail.com"
> gpg: Can't check signature: No public key
> 
> I am unable to locate the public key on busybox.net though.  Tried
> searching public key servers without success:
> 
> gpg --batch --keyserver certserver.pgp.com --recv-keys C9E9416F76E610DB
> gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DB
> gpg --batch --keyserver pool.sks-keyservers.net --recv-keys C9E9416F76E610DB

A key's short form isn't the first 8 bytes, it's the first 4 and the
last 4.
You should always use the long form though as short forms keys
collisions are trivial, at which point this works:

$ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C9E9416F76E610DBD09D040F47B70C55ACC9965B
gpg: key 47B70C55ACC9965B: "Denis Vlasenko <vda.linux@googlemail.com>" not changed

The key can also be found directly on the busybox website:
https://busybox.net/~vda/vda_pubkey.gpg

Either way, if the files had been compromised an attacker could just
sign the file with a new key and you've just downloaded the attacker's
key; this trust model is broken.
It'll be useful for the next upgrade's onwards.

-- 
Dominique
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic