httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1011383 - in /websites/staging/httpd/trunk/content: ./ dev/verification.html
Date Sat, 29 Apr 2017 14:11:54 GMT
Author: buildbot
Date: Sat Apr 29 14:11:54 2017
New Revision: 1011383

Log:
Staging update by buildbot for httpd

Modified:
    websites/staging/httpd/trunk/content/   (props changed)
    websites/staging/httpd/trunk/content/dev/verification.html

Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Apr 29 14:11:54 2017
@@ -1 +1 @@
-1789191
+1793202

Modified: websites/staging/httpd/trunk/content/dev/verification.html
==============================================================================
--- websites/staging/httpd/trunk/content/dev/verification.html (original)
+++ websites/staging/httpd/trunk/content/dev/verification.html Sat Apr 29 14:11:54 2017
@@ -140,17 +140,22 @@ together, so you should be able to conne
 <div class="codehilite"><pre><span class="c">% gpg --keyserver pgpkeys.mit.edu
--recv-key 791485A8</span>
 <span class="n">gpg</span><span class="p">:</span> <span class="n">requesting</span>
<span class="n">key</span> 791485<span class="n">A8</span> <span
class="n">from</span> <span class="n">HKP</span> <span class="n">keyserver</span>
<span class="n">pgpkeys</span><span class="p">.</span><span class="n">mit</span><span
class="p">.</span><span class="n">edu</span>
 <span class="n">gpg</span><span class="p">:</span> <span class="n">trustdb</span>
<span class="n">created</span>
-<span class="n">gpg</span><span class="p">:</span> <span class="n">key</span>
791485<span class="n">A8</span><span class="p">:</span> <span class="n">public</span>
<span class="n">key</span> &quot;<span class="n">Jim</span> <span
class="n">Jagielski</span> <span class="o">&lt;</span><span class="n">jim</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&gt;</span>&quot;
-<span class="n">imported</span>
-<span class="n">gpg</span><span class="p">:</span> <span class="n">Total</span>
<span class="n">number</span> <span class="n">processed</span><span
class="p">:</span> 1
-<span class="n">gpg</span><span class="p">:</span>           <span
class="n">imported</span><span class="p">:</span> 1
+<span class="n">gpg</span><span class="p">:</span> <span class="n">key</span>
791485<span class="n">A8</span><span class="p">:</span> <span class="n">public</span>
<span class="n">key</span> &quot;<span class="n">Jim</span> <span
class="n">Jagielski</span> <span class="o">&lt;</span><span class="n">jim</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&gt;</span>&quot; <span
class="n">imported</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">key</span>
791485<span class="n">A8</span><span class="p">:</span> <span class="n">public</span>
<span class="n">key</span> &quot;<span class="n">Jim</span> <span
class="n">Jagielski</span> <span class="o">&lt;</span><span class="n">jim</span><span
class="p">@</span><span class="n">apache</span><span class="p">.</span><span
class="n">org</span><span class="o">&gt;</span>&quot; <span
class="n">imported</span>
+<span class="n">gpg</span><span class="p">:</span> <span class="n">Total</span>
<span class="n">number</span> <span class="n">processed</span><span
class="p">:</span> 2
+<span class="n">gpg</span><span class="p">:</span>              
<span class="n">imported</span><span class="p">:</span> 2  <span
class="p">(</span><span class="n">RSA</span><span class="p">:</span>
2<span class="p">)</span>
 </pre></div>
 
 
-<p>In this example, you have now received a public key for an entity known as
-'Jim Jagielski &lt;jim@apache.org&gt;' However, you have no way of
-verifying this key was created by the person known as Jim Jagielski. But,
-let's try to verify the release signature again.</p>
+<p>In this example, you have now received two public keys for an entity known
+as 'Jim Jagielski &lt;jim@apache.org&gt;' However, you have no way of
+verifying whether these keys were created by the person known as Jim
+Jagielski whose email address is claimed.  In fact, one of them is
+an imposter: see https://evil32.org/ for the story (and this could
+change again at any time).  This doesn't mean that PGP is broken,
+just that you need to look at the full 40-character key fingerprint
+rather than the obsolete 8-character ID.</p>
+<p>Anyway, let's try to verify the release signature again:</p>
 <div class="codehilite"><pre><span class="c">% gpg --verify httpd-2.4.18.tar.gz.asc
httpd-2.4.18.tar.gz</span>
 <span class="n">gpg</span><span class="p">:</span> <span class="n">Signature</span>
<span class="n">made</span> <span class="n">Tue</span> <span class="n">Dec</span>
 8 21<span class="p">:</span>32<span class="p">:</span>07 2015 <span
class="n">CET</span> <span class="n">using</span> <span class="n">RSA</span>
<span class="n">key</span> <span class="n">ID</span> 791485<span
class="n">A8</span>
 <span class="n">gpg</span><span class="p">:</span> <span class="n">Good</span>
<span class="n">signature</span> <span class="n">from</span> &quot;<span
class="n">Jim</span> <span class="n">Jagielski</span> <span class="o">&lt;</span><span
class="n">jim</span><span class="p">@</span><span class="n">apache</span><span
class="p">.</span><span class="n">org</span><span class="o">&gt;</span>&quot;
@@ -169,19 +174,22 @@ let's try to verify the release signatur
 <p>At this point, the signature is good, but we don't trust this key. A good
 signature means that the file has not been tampered. However, due to the
 nature of public key cryptography, you need to additionally verify that key
-791485A8 was created by the <strong>real</strong> Jim Jagielski.</p>
+A93D62ECC3C8EA12DB220EC934EA76E6791485A8 was created by the <strong>real</strong>
+Jim Jagielski.</p>
 <p>Any attacker can create a public key and upload it to the public key
 servers. They can then create a malicious release signed by this fake key.
 Then, if you tried to verify the signature of this corrupt release, it
 would succeed because the key was not the 'real' key. Therefore, you need
 to validate the authenticity of this key.</p>
 <h1 id="Validating">Validating Authenticity of a Key<a class="headerlink" href="#Validating"
title="Permanent link">&para;</a></h1>
-<p>You may download <a href="http://www.apache.org/dist/httpd/KEYS">public keys
for the Apache HTTP Server
-developers</a> from our website or
-retrieve them off the public PGP keyservers (see above). However, importing
-these keys is not enough to verify the integrity of the signatures. If a
-release verifies as good, you need to validate that the key was created by
-an official representative of the Apache HTTP Server Project.</p>
+<p>There are two ways to validate Jim's key.  The really secure way
+(described below) is using the PGP "Web of Trust", which will give
+you a cryptographically-strong chain of trust to Jim's key.
+However, if you are new to PGP, this takes some time and effort.
+A shortcut to a reasonable level of security is to check Jim's
+fingerprint (using https, not http) against the database maintained
+by the Apache foundation of Apache developers' fingerprints at
+https://people.apache.org/keys/committer/</p>
 <p>The crucial step to validation is to confirm the key fingerprint of the
 public key.</p>
 <div class="codehilite"><pre><span class="c">% gpg --fingerprint 791485A8</span>



Mime
View raw message