ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson, Rob (Global Trade)" <Rob.Ander...@nike.com>
Subject RE: pgp signature
Date Wed, 11 Feb 2004 21:27:07 GMT
I have friends who I know are very security conscious. I have verified their key's fingerprint
with them over the phone. I trust their keys fully, and have signed their key with my key,
which I trust ultimately. I also have friends and former coworkers who are not so security
conscious, and may not protect their private key as much as they should. I trust their keys
marginally. There is definately varying levels of trust which you can assign. That is all
subjective according to whatever trust you wish to assign. The fact that GPG says the signature
is good means that the public key you have for "Antoine Levy-Lambert" is in fact the public
key from the key pair that was used to sign the file. Whether or not you believe that this
key originated from "Antoine Levy-Lambert" is the real question. You can effectively tell
GPG if you believe this public key originated from "Antoine Levy-Lambert" by assigning it
trust. Whether or not you assign the key trust it will not change the fact that the signature
is good. MD5 checksums work well also. But you must have faith that the MD5 checksum was not
tampered with also.

-Rob A


> -----Original Message-----
> From: Adam Hardy [mailto:adam.ant@cyberspaceroad.com]
> Sent: Wednesday, February 11, 2004 12:12 PM
> To: Ant Users List
> Subject: Re: pgp signature
> 
> 
> 'Ultimately'? That's extreme, isn't it? Surely there are levels of
> trust? In this case, at the level of trust sufficient to be sure that
> the downloaded ant tarball really is from Antoine Levy-Lambert.
> 
> Or should I just be using one of the other options to verify that the 
> tarball hasn't changed since it was installed at apache?
> 
> 
> 
> On 02/11/2004 06:47 PM Anderson, Rob (Global Trade) wrote:
> > The trust is assigned by you. If you want to assign trust to a
> > person's key, you should know that person and verify the fingerprint
> > of the key with them personally (either face to face, or over the
> > phone). GPG allows you to build a "Web of Trust", so that if you
> > trust me ultimately, and I trust "Antoine Levy-Lambert" ultimately,
> > then you trust "Antoine Levy-Lambert". Since you have not built this
> > "Web of Trust" GPG is complaining that even though the signature is
> > verified agianst the file, the key used the verify the signature has
> > not been assigned trust, and therefore, the key could be 
> forged since
> > you have not verified the fingerprint with "Antoine Levy-Lambert".
> > And if the key is forged, then the signature is meaningless, right.
> > 
> > I hope I have not confused you :)
> > 
> > -Rob Anderson
> > 
> > 
> >> -----Original Message----- From: Adam Hardy
> >> [mailto:adam.ant@cyberspaceroad.com] Sent: Wednesday, February 11,
> >> 2004 8:57 AM To: user@ant.apache.org Subject: pgp signature
> >> 
> >> 
> >> This is basically a newbie question about verify the downloads from
> >>  Apache. I just checked the archives for 'ultimately trusted' and
> >> 'verify signature' but didn't find anything.
> >> 
> >> I just did this for the first time (I'm the proud new owner of a 
> >> webserver so I've stepped my security awareness up a bit).
> >> 
> >> I got the following output:
> >> 
> >> [adam@gondor junk]$ gpg --verify apache-ant-1.6.0-bin.tar.bz2.asc 
> >> gpg: WARNING: using insecure memory! gpg: please see
> >> http://www.gnupg.org/faq.html for more information gpg: Signature
> >> made Thu 18 Dec 2003 09:26:52 PM CET using DSA key ID 265B4C63 gpg:
> >> Good signature from "Antoine Levy-Lambert (Apache Ant Committer) 
> >> <antoine@apache.org>" gpg:                 aka "Antoine
> >> Levy-Lambert (Apache Ant Committer) <antoine@antbuild.com>" gpg:
> >> checking the trustdb gpg: no ultimately trusted keys found gpg:
> >> WARNING: This key is not certified with a trusted signature! gpg:
> >> There is no indication that the signature belongs to the owner. 
> >> Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB
> >> 265B 4C63
> >> 
> >> 
> >> Does this mean that it failed? I got it from the German mirror.  Or
> >> is the trustdb something I should update on my system? Obviously I
> >>  recognise Antoine's name :)
> >> 
> >> I am also not sure about this mechanism - does gpg know to check
> >> the downloaded file because it has the same name as the *.asc file?
> >> 
> >> 
> >> Adam -- ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian
> >> 
> >> 
> >> 
> ---------------------------------------------------------------------
> >>  To unsubscribe, e-mail: user-unsubscribe@ant.apache.org For
> >> additional commands, e-mail: user-help@ant.apache.org
> >> 
> >> 
> >> 
> > 
> > 
> > 
> > 
> ---------------------------------------------------------------------
> >  To unsubscribe, e-mail: user-unsubscribe@ant.apache.org For
> > additional commands, e-mail: user-help@ant.apache.org
> > 
> > 
> 
> 
> -- 
> ant 1.6.0 + java 1.4.2 on Linux 2.4.20 Debian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message