|
This page (https://www.openwall.com/signatures/) is the place to get the current GnuPG keys that you can use to verify signatures on software you can obtain from www.openwall.com, its mirrors, and the Owl download mirrors.
Note that a valid signature does not guarantee that this website itself hasn't been compromised. Keep in mind that if this website ever gets compromised, an intruder would be able to replace the public keys posted here, not just a software package they might want to backdoor. For greater assurance, verify signatures on the key itself and/or use a copy of the key that you had for long enough for a possible website compromise to be likely detected - yet check this web page once in a while for information on a possible key compromise and/or replacement.
pub 4096R/4BDC136E 2017-11-18 Key fingerprint = 297A D21C F86C 9480 8152 0C18 05C0 27FD 4BDC 136E sub 4096R/3939CC14 2017-11-18
pub 4096R/8B4EDA79 2011-01-30 Key fingerprint = 81DD BD61 4603 A7A6 6C91 9E62 96D5 CD8C 8B4E DA79 sub 4096R/2ACC5A7C 2011-01-30
pub 1024R/295029F1 1999-09-13 Key fingerprint = 0C 29 43 AE 1E CD 24 EA 6E 0C B6 EE F5 84 25 69
Please note that we use only the then-current "offline" key (and never the "online" key) to sign anything downloadable directly from this website (rather than through a link to a mirror). We also use the "offline" key on some other occasions (e.g., to sign major Owl releases).
We use the "online" key for signing some *.mtree files for Owl snapshots, which are typically generated and signed on our development server. Thus, these signatures provide less assurance than those made with the "offline" key do. We estimate that the "online" key is more likely (than the "offline" key) to get compromised (through the corresponding private key leaking to an intruder from a server).
The primary use for signatures made with the "online" key is for you to be able to verify that your Owl downloads (which are typically made from mirrors and via "insecure" protocols) haven't been tampered with as compared to the files stored on our mirrors feed. (For those familiar with Linux kernel downloads from kernel.org, our "online" key is similar to "Linux Kernel Archives Verification Key" in the way we're using it and in the level of assurance it provides.)