Now Publishing fedora developer PGP keys in DNSSEC
Till Maas
opensource at till.name
Thu Jan 29 06:06:11 UTC 2015
On Wed, Jan 28, 2015 at 06:10:13PM -0500, Paul Wouters wrote:
> On Wed, 28 Jan 2015, Till Maas wrote:
>
> >The keyid is part of the fingerprint, so with the fingerprint one can
> >download the key and verify it. Therefore it is the only right thing to
> >do.
>
> I'm not saying don't store the fingerprint, but use a separate field for
> that which is not the keyid field. People write the fingerprint in
> various different syntaxes, using : or - or " ", etc.
The keyid is worthless, because the fingerprint always needs to be
checked. So even with a second field there would be a problem with extra
characters that can be easily solved by just ignoring any non
hexadecimal key. Enforcing to store fingerprints is a planned feature
for the new FAS:
https://github.com/fedora-infra/fas/issues/53
> >| 5) almost all these keys are old keys of which I could forge a fake
> >| matching keyid and upload it to public key servers.
> >
> >Can you explain this? For which keys is this not possiblea
>
> https://github.com/coruus/cooperpair/tree/master/keysteak
>
> Only v4 keys are safe.
They are not safe. This was what was shown at
https://evil32.com/
> >Thank you for promoting GPG usage. Did you think about
> >adding unique uids to Fedora release GPG keys to make them available
> >this way as well?
>
> I thought about it but we don't use unique email addresses for different
> release keys. So they would all be under fedora at fedoraproject.org.
>
> I could put them under fedoraXX at fedoraproject.org ?
There are two keys per release, one for primary and one for secondary
archs. I opened a rel-eng ticket,
so we can discuss it there or on the
next meeting, but the next two meetings might be skipped due to
conference travelling:
https://fedorahosted.org/rel-eng/ticket/6096
Regards
Till
More information about the devel
mailing list