Discussion:
[Dnsmasq-discuss] Secure download of dnsmasq
Oskar Lundström
2017-10-23 18:14:47 UTC
Permalink
Is there a way to download the source code of dnsmasq over HTTPS? Alternatively, a hash fingerprint of the source code, which is supplied over a secure connection (like HTTPS).
Simon Kelley
2017-10-23 21:20:06 UTC
Permalink
Post by Oskar Lundström
Is there a way to download the source code of dnsmasq over HTTPS? Alternatively, a hash fingerprint of the source code, which is supplied over a secure connection (like HTTPS).
All the tarballs are signed with my public key, fingerprint E19135A2,
which can be obtained in a trusted manner from, amongst other places,
the Debian keyserver.

gpg --keyserver keyring.debian.org --recv-keys E19135A2

Download the tarball from the server and the signature file,

ie,

dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz

and verify that the signature matches:


***@holly:~$ gpg --verify dnsmasq-2.78.tar.gz.asc dnsmasq-2.78.tar.gz
gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID E19135A2
gpg: Good signature from "Simon Kelley <***@thekelleys.org.uk>"
gpg: aka "Simon Kelley <***@debian.org>"


Which tells you that the tarball/signature pair could only have been
created by someone in possession of the private key matching the public
key you downloaded in the first step. Neither can be altered without
breaking the verification. Therefore, as long as you trust the Debian
keyserver to give you the correct public key, the source code cannot
have been altered.



Test and release-candidates are signed with a different key. (they are
signed automatically, so the private key has to exist on the server
without a protecting passphrase, which exposes it to sever security: I
don't want to do that to my main key.) That key is downloadable from the
website, and it has fingerprint 7F7EF234

I'll sign this message with my main public key, so you can trust the
fingerprint above, and be sure you got an untampered copy of that key.


That provides rather more certainty than a dodgy certificate on an https
website.

Cheers,

Simon.
Oskar Lundström
2017-10-24 05:17:28 UTC
Permalink
Thanks!

I'm new to gpg. How do I know E19135A2 is the fingerprint of your public key, and not someone else's, who just wrote your name and email on the key, and then uploaded it to the Debain keyserver?

Oskar
23 okt. 2017 kl. 23:20 skrev Simon Kelley
Post by Oskar Lundström
Is there a way to download the source code of dnsmasq over HTTPS? Alternatively, a hash fingerprint of the source code, which is supplied over a secure connection (like HTTPS).
All the tarballs are signed with my public key, fingerprint E19135A2,
which can be obtained in a trusted manner from, amongst other places,
the Debian keyserver.
gpg --keyserver keyring.debian.org --recv-keys E19135A2
Download the tarball from the server and the signature file,
ie,
dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz
gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID E19135A2
Which tells you that the tarball/signature pair could only have been
created by someone in possession of the private key matching the public
key you downloaded in the first step. Neither can be altered without
breaking the verification. Therefore, as long as you trust the Debian
keyserver to give you the correct public key, the source code cannot
have been altered.
Test and release-candidates are signed with a different key. (they are
signed automatically, so the private key has to exist on the server
without a protecting passphrase, which exposes it to sever security: I
don't want to do that to my main key.) That key is downloadable from the
website, and it has fingerprint 7F7EF234
I'll sign this message with my main public key, so you can trust the
fingerprint above, and be sure you got an untampered copy of that key.
That provides rather more certainty than a dodgy certificate on an https
website.
Cheers,
Simon.
Kevin Lyda
2017-10-24 07:28:46 UTC
Permalink
https://en.wikipedia.org/wiki/Web_of_trust
Post by Oskar Lundström
Thanks!
I'm new to gpg. How do I know E19135A2 is the fingerprint of your public
key, and not someone else's, who just wrote your name and email on the key,
and then uploaded it to the Debain keyserver?
Oskar
23 okt. 2017 kl. 23:20 skrev Simon Kelley
Post by Oskar Lundström
Is there a way to download the source code of dnsmasq over HTTPS?
Alternatively, a hash fingerprint of the source code, which is supplied
over a secure connection (like HTTPS).
All the tarballs are signed with my public key, fingerprint E19135A2,
which can be obtained in a trusted manner from, amongst other places,
the Debian keyserver.
gpg --keyserver keyring.debian.org --recv-keys E19135A2
Download the tarball from the server and the signature file,
ie,
dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz
gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID
E19135A2
Which tells you that the tarball/signature pair could only have been
created by someone in possession of the private key matching the public
key you downloaded in the first step. Neither can be altered without
breaking the verification. Therefore, as long as you trust the Debian
keyserver to give you the correct public key, the source code cannot
have been altered.
Test and release-candidates are signed with a different key. (they are
signed automatically, so the private key has to exist on the server
without a protecting passphrase, which exposes it to sever security: I
don't want to do that to my main key.) That key is downloadable from the
website, and it has fingerprint 7F7EF234
I'll sign this message with my main public key, so you can trust the
fingerprint above, and be sure you got an untampered copy of that key.
That provides rather more certainty than a dodgy certificate on an https
website.
Cheers,
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...