httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jerenkra...@apache.org
Subject cvs commit: httpd-site/xdocs/dev verification.xml index.xml
Date Wed, 19 Feb 2003 04:43:13 GMT
jerenkrantz    2003/02/18 20:43:13

  Modified:    docs     download.html
               docs/dev index.html
               xdocs    download.xml
               xdocs/dev index.xml
  Added:       xdocs/dev verification.xml
  Log:
  Add a verification guidelines page.
  
  Revision  Changes    Path
  1.19      +2 -1      httpd-site/docs/download.html
  
  Index: download.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/download.html,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -u -r1.18 -r1.19
  --- download.html	22 Jan 2003 15:25:23 -0000	1.18
  +++ download.html	19 Feb 2003 04:43:13 -0000	1.19
  @@ -193,7 +193,8 @@
    <tr><td>
     <blockquote>
   <p>It is essential that you verify the integrity of the downloaded
  -files using the PGP or MD5 signatures.</p>
  +files using the PGP or MD5 signatures.  Please read <a href="/dev/verification.html">Verifying
Apache HTTP Server Releases</a> for
  +more information on why you should verify our releases.</p>
   <p>The PGP signatures can be verified using PGP or GPG.  First
   download the <a href="http://www.apache.org/dist/httpd/KEYS">KEYS</a>
   as well as the <code>asc</code> signature file for the particular
  
  
  
  1.26      +2 -0      httpd-site/docs/dev/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/dev/index.html,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -u -r1.25 -r1.26
  --- index.html	28 Dec 2002 21:12:18 -0000	1.25
  +++ index.html	19 Feb 2003 04:43:13 -0000	1.26
  @@ -207,6 +207,8 @@
      </li>
      <li>A <a href="binbuild.sh">shell script</a> to build a binary release
      </li>
  +   <li><a href="verification.html">Verifying Apache HTTP Server releases</a>
  +   </li>
     </ul>
     </blockquote>
    </td></tr>
  
  
  
  1.18      +3 -1      httpd-site/xdocs/download.xml
  
  Index: download.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/download.xml,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -u -r1.17 -r1.18
  --- download.xml	22 Jan 2003 15:25:23 -0000	1.17
  +++ download.xml	19 Feb 2003 04:43:13 -0000	1.18
  @@ -159,7 +159,9 @@
   <section id="verify"><title>Verify the integrity of the files</title>
   
   <p>It is essential that you verify the integrity of the downloaded
  -files using the PGP or MD5 signatures.</p>
  +files using the PGP or MD5 signatures.  Please read <a
  +href="/dev/verification.html">Verifying Apache HTTP Server Releases</a> for
  +more information on why you should verify our releases.</p>
   
   <p>The PGP signatures can be verified using PGP or GPG.  First
   download the <a href="http://www.apache.org/dist/httpd/KEYS">KEYS</a>
  
  
  
  1.7       +2 -0      httpd-site/xdocs/dev/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/dev/index.xml,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -u -r1.6 -r1.7
  --- index.xml	25 Nov 2002 05:17:40 -0000	1.6
  +++ index.xml	19 Feb 2003 04:43:13 -0000	1.7
  @@ -118,6 +118,8 @@
      </li>
      <li>A <a href="binbuild.sh">shell script</a> to build a binary release
      </li>
  +   <li><a href="verification.html">Verifying Apache HTTP Server releases</a>
  +   </li>
     </ul>
   </section>
   
  
  
  
  1.1                  httpd-site/xdocs/dev/verification.xml
  
  Index: verification.xml
  ===================================================================
  <?xml version="1.0"?>
  <document>
    <properties>
      <author email="docs@httpd.apache.org">Documentation Group</author>
      <title>Verifying Apache HTTP Server Releases</title>
    </properties>
  <body>
  
  <section id="Sign">
  <title>What we sign</title>
  
  <p>All official releases of code distributed by the Apache HTTP Server Project
  are signed by the release manager for the release.  PGP signatures and MD5
  hashes are available along with the distribution.</p>
  
  <p>You should download the PGP signatures and MD5 hashes directly from the
  Apache Software Foundation rather than our mirrors.  This is to help ensure the
  integrity of the signature files.  However, you are encouraged to download the
  releases from our mirrors.  (Our download page points you at the mirrors for
  the release and the official site for the signatures, so this happens
  automatically for you.)</p>
  
  </section>
  
  <section id="Checking">
  <title>Checking Signatures</title>
  
  <p>The following example details how signature interaction works.  In this
  example, you are already assumed to have downloaded
  <code>httpd-2.0.44.tar.gz</code> (the release) and
  <code>httpd-2.0.44.tar.gz.asc</code> (the detached signature).</p>
  
  <p>This example uses <a href="http://www.gnupg.org/">The GNU Privacy Guard</a>.
  Any <a href="http://www.openpgp.org/">OpenPGP</a>-compliant program should work
  successfully.</p>
  
  <p>First, we will check the detached signature
  (<code>httpd-2.0.44.tar.gz.asc</code>) against our release
  (<code>httpd-2.0.44.tar.gz</code>).</p>
  
  <pre>
  % gpg httpd-2.0.44.tar.gz.asc
  gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
  gpg: Can't check signature: public key not found
  </pre>
  
  <p>We don't have the release manager's public key (<code>DE885DD3</code>)
in
  our local system.  You now need to retrieve the public key from a key
  server.  One popular server is <code>pgpkeys.mit.edu</code> (which has a <a
  href="http://pgp.mit.edu/">web interface</a>).  The public key servers are
  linked together, so you should be able to connect to any key server.</p>
  
  <pre>
  % gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
  gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
  gpg: trustdb created
  gpg: key DE885DD3: public key "Sander Striker &lt;striker@apache.org&gt;" imported
  gpg: Total number processed: 1
  gpg:               imported: 1
  </pre>
  
  <p>In this example, you have now received a public key for an entity known
  as 'Sander Striker &lt;striker@apache.org&gt;'  However, you have no way
  of verifying this key was created by the person known as Sander Striker.
  But, let's try to verify the release signature again.</p>
  
  <pre>
  % gpg httpd-2.0.44.tar.gz.asc
  gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
  gpg: Good signature from "Sander Striker &lt;striker@apache.org&gt;"
  gpg:                 aka "Sander Striker &lt;striker@striker.nl&gt;"
  gpg: checking the trustdb
  gpg: no ultimately trusted keys found
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
  </pre>
  
  <p>At this point, the signature is good, but we don't trust this key.  A good
  signature means that the file has not been tampered.  However, due to the
  nature of public key cryptography, you need to additionally verify that key
  DE885DD3 was created by the <b>real</b> Sander Striker.</p>
  
  <p>Any attacker can create a public key and upload it to the public key
  servers.  They can then create a malicious release signed by this fake key.
  Then, if you tried to verify the signature of this corrupt release, it would
  succeed because the key was not the 'real' key.  Therefore, you need to
  validate the authenticity of this key.</p>
  
  </section>
  
  <section id="Validating">
  <title>Validating Authenticity of a Key</title>
  
  <p>You may download <a href="http://www.apache.org/dist/httpd/KEYS">public keys
  for the Apache HTTP Server developers</a> from our website or retrieve them off
  the public PGP keyservers (see above).  However, importing these keys is not
  enough to verify the integrity of the signatures.  If a release verifies as
  good, you need to validate that the key was created by an official
  representative of the Apache HTTP Server Project.</p>
  
  <p>The crucial step to validation is to confirm the key fingerprint of the
  public key.</p>
  
  <pre>
  % gpg --fingerprint DE885DD3
  pub  1024D/DE885DD3 2002-04-10 Sander Striker &lt;striker@apache.org&gt;
       Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
  uid                            Sander Striker &lt;striker@striker.nl&gt;
  sub  2048g/532D14CA 2002-04-10
  </pre>
  
  <p>A good start to validating a key is by face-to-face communication with
  multiple government-issued photo identification confirmations.  However, each
  person is free to have their own standards for determining the authenticity of
  a key.  Some people are satisfied by reading the key signature over a telephone
  (voice verification).  For more information on determining what level of trust
  works best for you, please read the GNU Privacy Handbook section on <a
  href="http://www.gnupg.org/gph/en/manual.html#AEN335">Validating other keys on
  your public keyring</a>.</p>
  
  <p>Most of the Apache HTTP Server developers have attempted to sign each
  others' keys (usually with face-to-face validation).  Therefore, in order to
  enter the web of trust, you should only need to validate one person in our
  web of trust.  (Hint: all of our developers' keys are in the KEYS file.)</p>
  
  <p>For example, the following people have signed the public key for Sander
  Striker.  If you verify any key on this list, you will have a trust
  path to the DE885DD3 key.  If you verify a key that verifies one of the
  signatories for DE885DD3, then you will have a trust path.  (So on, and so
  on.)</p>
  
  <pre>
  pub  1024D/DE885DD3 2002-04-10 Sander Striker &lt;striker@apache.org&gt;
  sig         E2226795 2002-05-01   Justin R. Erenkrantz
  sig 3       DE885DD3 2002-04-10   Sander Striker
  sig         CD4DF205 2002-05-28   Wolfram Schlich
  sig         E005C9CB 2002-11-17   Greg Stein
  sig         CC8B0F7E 2002-11-18   Aaron Bannert
  sig         DFEAC4B9 2002-11-19   David N. Welton
  sig 2       82AB7BD1 2002-11-17   Cliff Woolley
  sig 2       13046155 2002-11-28   Thom May
  sig 3       19311B00 2002-11-17   Chuck Murcko
  sig 3       F894BE12 2002-11-17   Brian William Fitzpatrick
  sig 3       5C1C3AD7 2002-11-18   David Reid
  sig 3       E04F9A89 2002-11-18   Roy T. Fielding
  sig 3       CC78C893 2002-11-19   Rich Bowen
  sig 3       08C975E5 2002-11-21   Jim Jagielski
  sig 3       F88341D9 2002-11-18   Lars Eilebrecht
  sig 3       187BD68D 2002-11-21   Ben Hyde
  sig 3       49A563D9 2002-11-23   Mark Cox
  ...more signatures redacted...
  </pre>
  
  <p>Since the developers are usually quite busy, you may not immediately find
  success in someone who is willing to meet face-to-face (they may not even
  respond to your emails because they are so busy!).  If you do not have a
  developer nearby or have trouble locating a suitable person, please send an
  email to the address of the key you are attempting to verify.  They may be able
  to find someone who will be willing to validate their key or arrange alternate
  mechanisms for validation.</p>
  
  </section>
  
  </body>
  </document>
  
  
  

Mime
View raw message