Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130425134046.GO21938@mars-attacks.org>
Date: Thu, 25 Apr 2013 15:40:46 +0200
From: nicolas vigier <boklm@...s-attacks.org>
To: oss-security@...ts.openwall.com
Subject: Re: upstream source code authenticity checking

On Thu, 25 Apr 2013, Alistair Crooks wrote:

> 
> Q4. where's the public key for this?
> 
> A4. could be anywhere. If it's on one of the HKP servers, then cool.
> Not, however, that it can be verified - I know of at least one person
> who has had pubkey information uploaded to the key servers for a key
> he had no knowledge about. Anyone can put whatever email address into
> the userid that they want. If it came with the tarball, ho hum.

Even if the key comes with the tarball, if the tarball is always signed
with the same key for all releases, then it's useful. You download the
key the first time, keep it somewhere (for instance in the package
source) and use it again to check next releases. And if a new release is
signed with a different key you know you need to be more careful and
can check if the key change is legitimate.

> 
> Q5. what was signed?
> 
> A5.  if it comes out as a text document, according to RFC 4880, it has
> some weird properties; hopefully all tar files will be binary. 
> Whatever, what was signed was something with the same digest as the
> tarball.  Default algorithm is SHA1.  Second pre-image attacks on SHA1
> are getting closer to being possible, and there are means to modify
> entries in the tarball so that an attack is much easier.
> 
> Q6. Is this a DSA key?  (DSA keys rely on good entropy at signing
> time) If so, how good was the entropy on the machine used to generate
> the signature?
> 
> A6.  Again, unknown.
> 
> Q7. Has someone found the k value for Q6/A6 previously?
> 
> A7. They might have done. We'd only know if they told us.
> 

Same could be said about ssh, tls or almost anything using cryptography ...

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.