Hi. I got complaints that the announcement of a recent release did not include my full GnuPG key fingerprint.
While the instructions on GnuPG verification is getting longer and
longer, having the full fingerprint in the email seems like the right
thing. The OpenPGP infrastructure is under attack, and supply-chain
attacks can be mitigated if signatures are verified.
With the attached patch, announcements will look like the output below.
I was first tempted to just extend the fingerprint of the 'gpg
--recv-keys' instruction, so it would have the entire key fingerprint in
it, and leave out the text to verify the signature key with the
fingerprint, but that has two problems: 1) the --recv-keys command is
(as far as I recall) limited to 64-bits, so even if a full fingerprint
is supplied on the command-line, an attacker can replace it with another
key that matches in the final 64-bits, and 2) the instruction for the
human to verify the signature key with the fingerprint is important
(otherwise I could sign, say, coreutils releases and if people had my
key in their keyring they wouldn't necessarily notice).
Since many people (myself included) did not know the GNU keyring is
available publicly, and it contains those precious non-self signatures,
I included a pointer to it as a final resort to locate keys.
Thoughts? These instructions in the announcements should be as clear,
usable and secure as possible -- please help!
/Simon
Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify inetutils-2.3.tar.gz.sig
The signature should match the fingerprint of the following key:
pub ed25519 2019-03-20 [SC]
B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE
uid Simon Josefsson <si...@josefsson.org>
If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.
gpg --locate-external-key si...@josefsson.org
gpg --recv-keys 51722B08FE4745A2
wget -q -O-
'https://savannah.gnu.org/project/release-gpgkeys.php?group=inetutils&download=1'
| gpg --import -
As a last resort to find the key, you can try the official GNU
keyring:
wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
gpg --keyring gnu-keyring.gpg --verify inetutils-2.3.tar.gz.sig
From dfe8fd0f1f00b6c7a8983f6ee5aab82988e3d891 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <si...@josefsson.org>
Date: Sat, 9 Jul 2022 00:32:04 +0200
Subject: [PATCH] announce-gen: Improve GnuPG verification instructions.
* build-aux/announce-gen: Add GPG fingerprint to output, and a
pointer to GNU keyring.
---
ChangeLog | 6 ++++++
build-aux/announce-gen | 36 ++++++++++++++++++++++++++++++------
2 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a82e76ed00..13d8698ec0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2022-07-09 Simon Josefsson <si...@josefsson.org>
+
+ announce-gen: Improve GnuPG verification instructions.
+ * build-aux/announce-gen: Add GPG fingerprint to output, and a
+ pointer to GNU keyring.
+
2022-07-08 Simon Josefsson <si...@josefsson.org>
lib-symbol-visibility: Improve documentation.
diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index d88dda944e..3557fabf4b 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -35,7 +35,7 @@
eval 'exec perl -wSx "$0" "$@"'
if 0;
-my $VERSION = '2022-03-14 10:08'; # UTC
+my $VERSION = '2022-07-08 22:28'; # UTC
# The definition above must lie within the first 8 lines in order
# for the Emacs time-stamp write hook (at end) to update it.
# If you change this file with Emacs, please let the write hook
@@ -498,7 +498,7 @@ EOF
{
# When there's only one tarball and one URL, use a more concise form.
my $m = "$url_dir_list[0]/$tarballs[0]";
- print "Here are the compressed sources and a GPG detached signature[*]:\n"
+ print "Here are the compressed sources and a GPG detached signature:\n"
. " $m\n"
. " $m.sig\n\n";
}
@@ -510,7 +510,7 @@ EOF
. "please tell bug-gnulib\@gnu.org)",
@url_dir_list, %size, $xd);
my @sig_files = map { "$_.sig" } @tarballs;
- print_locations ("GPG detached signatures[*]", @url_dir_list, %size,
+ print_locations ("GPG detached signatures", @url_dir_list, %size,
@sig_files);
}
@@ -535,14 +535,29 @@ EOF
and print_checksums (@sizable);
print <<EOF;
-[*] Use a .sig file to verify that the corresponding file (without the
+Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify $tarballs[0].sig
+EOF
+ my $gpg_fingerprint = `LANG=C gpg --fingerprint $gpg_key_id | grep -v ^sub`;
+ if ($gpg_fingerprint =~ /^pub/)
+ {
+ chop $gpg_fingerprint;
+ $gpg_fingerprint =~ s/ \[expires:.*//mg;
+ $gpg_fingerprint =~ s/^uid \[ultimate\]/uid /mg;
+ $gpg_fingerprint =~ s/^/ /mg;
+ print<<EOF
+The signature should match the fingerprint of the following key:
+
+$gpg_fingerprint
+EOF
+ }
+ print <<EOF;
If that command fails because you don't have the required public key,
-or that public key has expired, try the following commands to update
+or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.
EOF
if ($gpg_key_email) {
@@ -560,7 +575,16 @@ EOF
wget -q -O- '$gpg_keyring_url' | gpg --import -
EOF
- }
+ }
+ print <<EOF;
+
+As a last resort to find the key, you can try the official GNU
+keyring:
+
+ wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
+ gpg --keyring gnu-keyring.gpg --verify $tarballs[0].sig
+
+EOF
my @tool_versions = get_tool_versions (\@tool_list, $gnulib_version);
@tool_versions
--
2.30.2
signature.asc
Description: PGP signature
