httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r816196 - in /websites/staging/httpd/trunk/content: ./ dev/verification.html
Date Sun, 06 May 2012 23:27:29 GMT
Author: buildbot
Date: Sun May  6 23:27:28 2012
New Revision: 816196

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/dev/verification.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun May  6 23:27:28 2012
@@ -1 +1 @@
-1334828
+1334829

Modified: websites/staging/httpd/trunk/content/dev/verification.html
==============================================================================
--- websites/staging/httpd/trunk/content/dev/verification.html (original)
+++ websites/staging/httpd/trunk/content/dev/verification.html Sun May  6 23:27:28 2012
@@ -90,37 +90,46 @@ example, you are already assumed to have
 <a href="http://www.openpgp.org/">OpenPGP</a> -compliant program should work
 successfully.</p>
 <p>First, we will check the detached signature ( <code>httpd-2.0.44.tar.gz.asc</code>
)
-against our release ( <code>httpd-2.0.44.tar.gz</code> ).
-<code>% gpg httpd-2.0.44.tar.gz.asc
-gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
-gpg: Can't check signature: public key not found</code> 
-We don't have the release manager's public key ( <code>DE885DD3</code> ) in our
local
+against our release ( <code>httpd-2.0.44.tar.gz</code> ).</p>
+<div class="codehilite"><pre><span class="c">% gpg httpd-2.0.44.tar.gz.asc</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Signature</span>
<span class="n">made</span> <span class="n">Sat</span> <span class="n">Jan</span>
18 07<span class="p">:</span>21<span class="p">:</span>28 2003 <span
class="n">PST</span> <span class="n">using</span> <span class="n">DSA</span>
<span class="n">key</span> <span class="n">ID</span> <span class="n">DE885DD3</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Can</span><span
class="o">&#39;</span><span class="n">t</span> <span class="n">check</span>
<span class="n">signature</span><span class="p">:</span> <span
class="n">public</span> <span class="n">key</span> <span class="n">not</span>
<span class="n">found</span>
+</pre></div>
+
+
+<p>We don't have the release manager's public key ( <code>DE885DD3</code>
) in our local
 system. You now need to retrieve the public key from a key server. One
 popular server is <code>pgpkeys.mit.edu</code> (which has a <a href="http://pgp.mit.edu/">web
 interface</a> ). The public key servers are linked
-together, so you should be able to connect to any key server.
-<code>% gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
-gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
-gpg: trustdb created
-gpg: key DE885DD3: public key "Sander Striker &amp;lt;striker@apache.org&amp;gt;"
-imported
-gpg: Total number processed: 1
-gpg:           imported: 1</code> 
-In this example, you have now received a public key for an entity known as
+together, so you should be able to connect to any key server.</p>
+<div class="codehilite"><pre><span class="c">% gpg --keyserver pgpkeys.mit.edu
--recv-key DE885DD3</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">requesting</span>
<span class="n">key</span> <span class="n">DE885DD3</span> <span
class="n">from</span> <span class="n">HKP</span> <span class="n">keyserver</span>
<span class="n">pgpkeys</span><span class="p">.</span><span class="n">mit</span><span
class="p">.</span><span class="n">edu</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">trustdb</span>
<span class="n">created</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">key</span>
<span class="n">DE885DD3</span><span class="p">:</span> <span class="n">public</span>
<span class="n">key</span> &quot;<span class="n">Sander</span>
<span class="n">Striker</span> <span class="o">&amp;</span><span
class="n">lt</span><span class="p">;</span><span class="n">striker</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&amp;</span><span class="n">gt</span><span
class="p">;</span>&quot;
+<span class="n">imported</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Total</span>
<span class="n">number</span> <span class="n">processed</span><span
class="p">:</span> 1
+<span class="n">gpg</span><span class="p">:</span>           <span
class="n">imported</span><span class="p">:</span> 1
+</pre></div>
+
+
+<p>In this example, you have now received a public key for an entity known as
 'Sander Striker &lt;striker@apache.org&gt;' However, you have no way of
 verifying this key was created by the person known as Sander Striker. But,
-let's try to verify the release signature again.
-<code>% gpg httpd-2.0.44.tar.gz.asc
-gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
-gpg: Good signature from "Sander Striker &amp;lt;striker@apache.org&amp;gt;"
-gpg:             aka "Sander Striker &amp;lt;striker@striker.nl&amp;gt;"
-gpg: checking the trustdb
-gpg: no ultimately trusted keys found
-gpg: WARNING: This key is not certified with a trusted signature!
-gpg:          There is no indication that the signature belongs to the
-owner.
-Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3</code> 
-At this point, the signature is good, but we don't trust this key. A good
+let's try to verify the release signature again.</p>
+<div class="codehilite"><pre><span class="c">% gpg httpd-2.0.44.tar.gz.asc</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Signature</span>
<span class="n">made</span> <span class="n">Sat</span> <span class="n">Jan</span>
18 07<span class="p">:</span>21<span class="p">:</span>28 2003 <span
class="n">PST</span> <span class="n">using</span> <span class="n">DSA</span>
<span class="n">key</span> <span class="n">ID</span> <span class="n">DE885DD3</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Good</span>
<span class="n">signature</span> <span class="n">from</span> &quot;<span
class="n">Sander</span> <span class="n">Striker</span> <span class="o">&amp;</span><span
class="n">lt</span><span class="p">;</span><span class="n">striker</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&amp;</span><span class="n">gt</span><span
class="p">;</span>&quot;
+<span class="n">gpg</span><span class="p">:</span>             <span
class="n">aka</span> &quot;<span class="n">Sander</span> <span
class="n">Striker</span> <span class="o">&amp;</span><span class="n">lt</span><span
class="p">;</span><span class="n">striker</span><span class="p">@</span><span
class="n">striker</span><span class="p">.</span><span class="n">nl</span><span
class="o">&amp;</span><span class="n">gt</span><span class="p">;</span>&quot;
+<span class="n">gpg</span><span class="p">:</span> <span class="n">checking</span>
<span class="n">the</span> <span class="n">trustdb</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">no</span>
<span class="n">ultimately</span> <span class="n">trusted</span> <span
class="n">keys</span> <span class="n">found</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">WARNING</span><span
class="p">:</span> <span class="n">This</span> <span class="n">key</span>
<span class="n">is</span> <span class="n">not</span> <span class="n">certified</span>
<span class="n">with</span> <span class="n">a</span> <span class="n">trusted</span>
<span class="n">signature</span>!
+<span class="n">gpg</span><span class="p">:</span>          <span
class="n">There</span> <span class="n">is</span> <span class="n">no</span>
<span class="n">indication</span> <span class="n">that</span> <span
class="n">the</span> <span class="n">signature</span> <span class="n">belongs</span>
<span class="n">to</span> <span class="n">the</span>
+<span class="n">owner</span><span class="p">.</span>
+<span class="n">Fingerprint</span><span class="p">:</span> 4<span
class="n">C1E</span> <span class="n">ADAD</span> <span class="n">B4EF</span>
5007 579<span class="n">C</span>  919<span class="n">C</span> 6635
<span class="n">B6C0</span> <span class="n">DE88</span> 5<span
class="n">DD3</span>
+</pre></div>
+
+
+<p>At this point, the signature is good, but we don't trust this key. A good
 signature means that the file has not been tampered. However, due to the
 nature of public key cryptography, you need to additionally verify that key
 DE885DD3 was created by the <strong>real</strong> Sander Striker.</p>
@@ -137,13 +146,16 @@ these keys is not enough to verify the i
 release verifies as good, you need to validate that the key was created by
 an official representative of the Apache HTTP Server Project.</p>
 <p>The crucial step to validation is to confirm the key fingerprint of the
-public key.
-<code>% gpg --fingerprint DE885DD3
-pub  1024D/DE885DD3 2002-04-10 Sander Striker &amp;lt;striker@apache.org&amp;gt;
-     Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
-uid                Sander Striker &amp;lt;striker@striker.nl&amp;gt;
-sub  2048g/532D14CA 2002-04-10</code> 
-A good start to validating a key is by face-to-face communication with
+public key.</p>
+<div class="codehilite"><pre><span class="c">% gpg --fingerprint DE885DD3</span>
+<span class="n">pub</span>  1024<span class="n">D</span><span
class="o">/</span><span class="n">DE885DD3</span> 2002<span class="o">-</span>04<span
class="o">-</span>10 <span class="n">Sander</span> <span class="n">Striker</span>
<span class="o">&amp;</span><span class="n">lt</span><span
class="p">;</span><span class="n">striker</span><span class="p">@</span><span
class="n">apache</span><span class="p">.</span><span class="n">org</span><span
class="o">&amp;</span><span class="n">gt</span><span class="p">;</span>
+<span class="n">Key</span> <span class="n">fingerprint</span> <span
class="p">=</span> 4<span class="n">C1E</span> <span class="n">ADAD</span>
<span class="n">B4EF</span> 5007 579<span class="n">C</span>  919<span
class="n">C</span> 6635 <span class="n">B6C0</span> <span class="n">DE88</span>
5<span class="n">DD3</span>
+<span class="n">uid</span>                <span class="n">Sander</span>
<span class="n">Striker</span> <span class="o">&amp;</span><span
class="n">lt</span><span class="p">;</span><span class="n">striker</span><span
class="p">@</span><span class="n">striker</span><span class="p">.</span><span
class="n">nl</span><span class="o">&amp;</span><span class="n">gt</span><span
class="p">;</span>
+<span class="n">sub</span>  2048<span class="n">g</span><span
class="o">/</span>532<span class="n">D14CA</span> 2002<span class="o">-</span>04<span
class="o">-</span>10
+</pre></div>
+
+
+<p>A good start to validating a key is by face-to-face communication with
 multiple government-issued photo identification confirmations. However,
 each person is free to have their own standards for determining the
 authenticity of a key. Some people are satisfied by reading the key
@@ -158,27 +170,30 @@ web of trust. (Hint: all of our develope
 <p>For example, the following people have signed the public key for Sander
 Striker. If you verify any key on this list, you will have a trust path to
 the DE885DD3 key. If you verify a key that verifies one of the signatories
-for DE885DD3, then you will have a trust path. (So on, and so on.)
-<code>pub  1024D/DE885DD3 2002-04-10 Sander Striker &amp;lt;striker@apache.org&amp;gt;
-sig     E2226795 2002-05-01   Justin R. Erenkrantz
-sig 3       DE885DD3 2002-04-10   Sander Striker
-sig     CD4DF205 2002-05-28   Wolfram Schlich
-sig     E005C9CB 2002-11-17   Greg Stein
-sig     CC8B0F7E 2002-11-18   Aaron Bannert
-sig     DFEAC4B9 2002-11-19   David N. Welton
-sig 2       82AB7BD1 2002-11-17   Cliff Woolley
-sig 2       13046155 2002-11-28   Thom May
-sig 3       19311B00 2002-11-17   Chuck Murcko
-sig 3       F894BE12 2002-11-17   Brian William Fitzpatrick
-sig 3       5C1C3AD7 2002-11-18   David Reid
-sig 3       E04F9A89 2002-11-18   Roy T. Fielding
-sig 3       CC78C893 2002-11-19   Rich Bowen
-sig 3       08C975E5 2002-11-21   Jim Jagielski
-sig 3       F88341D9 2002-11-18   Lars Eilebrecht
-sig 3       187BD68D 2002-11-21   Ben Hyde
-sig 3       49A563D9 2002-11-23   Mark Cox
-...more signatures redacted...</code> 
-Since the developers are usually quite busy, you may not immediately find
+for DE885DD3, then you will have a trust path. (So on, and so on.)</p>
+<div class="codehilite"><pre><span class="n">pub</span>  <span
class="mi">1024</span><span class="n">D</span><span class="o">/</span><span
class="n">DE885DD3</span> <span class="mi">2002</span><span class="o">-</span><span
class="mo">04</span><span class="o">-</span><span class="mi">10</span>
<span class="n">Sander</span> <span class="n">Striker</span> <span
class="o">&amp;</span><span class="ow">lt</span><span class="p">;</span><span
class="n">striker</span><span class="nv">@apache</span><span class="o">.</span><span
class="n">org</span><span class="o">&amp;</span><span class="ow">gt</span><span
class="p">;</span>
+<span class="n">sig</span>     <span class="n">E2226795</span> <span
class="mi">2002</span><span class="o">-</span><span class="mo">05</span><span
class="o">-</span><span class="mo">01</span>   <span class="n">Justin</span>
<span class="n">R</span><span class="o">.</span> <span class="n">Erenkrantz</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="n">DE885DD3</span> <span class="mi">2002</span><span class="o">-</span><span
class="mo">04</span><span class="o">-</span><span class="mi">10</span>
  <span class="n">Sander</span> <span class="n">Striker</span>
+<span class="n">sig</span>     <span class="n">CD4DF205</span> <span
class="mi">2002</span><span class="o">-</span><span class="mo">05</span><span
class="o">-</span><span class="mi">28</span>   <span class="n">Wolfram</span>
<span class="n">Schlich</span>
+<span class="n">sig</span>     <span class="n">E005C9CB</span> <span
class="mi">2002</span><span class="o">-</span><span class="mi">11</span><span
class="o">-</span><span class="mi">17</span>   <span class="n">Greg</span>
<span class="n">Stein</span>
+<span class="n">sig</span>     <span class="n">CC8B0F7E</span> <span
class="mi">2002</span><span class="o">-</span><span class="mi">11</span><span
class="o">-</span><span class="mi">18</span>   <span class="n">Aaron</span>
<span class="n">Bannert</span>
+<span class="n">sig</span>     <span class="n">DFEAC4B9</span> <span
class="mi">2002</span><span class="o">-</span><span class="mi">11</span><span
class="o">-</span><span class="mi">19</span>   <span class="n">David</span>
<span class="n">N</span><span class="o">.</span> <span class="n">Welton</span>
+<span class="n">sig</span> <span class="mi">2</span>       <span
class="mi">82</span><span class="n">AB7BD1</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">17</span>   <span class="n">Cliff</span> <span class="n">Woolley</span>
+<span class="n">sig</span> <span class="mi">2</span>       <span
class="mi">13046155</span> <span class="mi">2002</span><span class="o">-</span><span
class="mi">11</span><span class="o">-</span><span class="mi">28</span>
  <span class="n">Thom</span> <span class="n">May</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="mi">19311</span><span class="n">B00</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">17</span>   <span class="n">Chuck</span> <span class="n">Murcko</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="n">F894BE12</span> <span class="mi">2002</span><span class="o">-</span><span
class="mi">11</span><span class="o">-</span><span class="mi">17</span>
  <span class="n">Brian</span> <span class="n">William</span> <span
class="n">Fitzpatrick</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="mi">5</span><span class="n">C1C3AD7</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">18</span>   <span class="n">David</span> <span class="n">Reid</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="n">E04F9A89</span> <span class="mi">2002</span><span class="o">-</span><span
class="mi">11</span><span class="o">-</span><span class="mi">18</span>
  <span class="n">Roy</span> <span class="n">T</span><span class="o">.</span>
<span class="n">Fielding</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="n">CC78C893</span> <span class="mi">2002</span><span class="o">-</span><span
class="mi">11</span><span class="o">-</span><span class="mi">19</span>
  <span class="n">Rich</span> <span class="n">Bowen</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="mi">08</span><span class="n">C975E5</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">21</span>   <span class="n">Jim</span> <span class="n">Jagielski</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="n">F88341D9</span> <span class="mi">2002</span><span class="o">-</span><span
class="mi">11</span><span class="o">-</span><span class="mi">18</span>
  <span class="n">Lars</span> <span class="n">Eilebrecht</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="mi">187</span><span class="n">BD68D</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">21</span>   <span class="n">Ben</span> <span class="n">Hyde</span>
+<span class="n">sig</span> <span class="mi">3</span>       <span
class="mi">49</span><span class="n">A563D9</span> <span class="mi">2002</span><span
class="o">-</span><span class="mi">11</span><span class="o">-</span><span
class="mi">23</span>   <span class="n">Mark</span> <span class="n">Cox</span>
+<span class="o">...</span><span class="n">more</span> <span class="n">signatures</span>
<span class="n">redacted</span><span class="o">...</span>
+</pre></div>
+
+
+<p>Since the developers are usually quite busy, you may not immediately find
 success in someone who is willing to meet face-to-face (they may not even
 respond to your emails because they are so busy!). If you do not have a
 developer nearby or have trouble locating a suitable person, please send an
@@ -186,11 +201,12 @@ email to the address of the key you are 
 able to find someone who will be willing to validate their key or arrange
 alternate mechanisms for validation.</p>
 <p>Once you have entered the web of trust, you should see the following upon
-verifying the signature of a release.
-<code>% gpg httpd-2.0.44.tar.gz.asc
-gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
-gpg: Good signature from "Sander Striker &amp;lt;striker@apache.org&amp;gt;"
-gpg:             aka "Sander Striker &amp;lt;striker@striker.nl&amp;gt;"</code>
</p>
+verifying the signature of a release.</p>
+<div class="codehilite"><pre><span class="c">% gpg httpd-2.0.44.tar.gz.asc</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Signature</span>
<span class="n">made</span> <span class="n">Sat</span> <span class="n">Jan</span>
18 07<span class="p">:</span>21<span class="p">:</span>28 2003 <span
class="n">PST</span> <span class="n">using</span> <span class="n">DSA</span>
<span class="n">key</span> <span class="n">ID</span> <span class="n">DE885DD3</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Good</span>
<span class="n">signature</span> <span class="n">from</span> &quot;<span
class="n">Sander</span> <span class="n">Striker</span> <span class="o">&amp;</span><span
class="n">lt</span><span class="p">;</span><span class="n">striker</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&amp;</span><span class="n">gt</span><span
class="p">;</span>&quot;
+<span class="n">gpg</span><span class="p">:</span>             <span
class="n">aka</span> &quot;<span class="n">Sander</span> <span
class="n">Striker</span> <span class="o">&amp;</span><span class="n">lt</span><span
class="p">;</span><span class="n">striker</span><span class="p">@</span><span
class="n">striker</span><span class="p">.</span><span class="n">nl</span><span
class="o">&amp;</span><span class="n">gt</span><span class="p">;</span>&quot;
+</pre></div>
             
 
             <!-- FOOTER -->



Mime
View raw message