From owner-freebsd-security Fri Mar 21 1:28:18 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37DC337B404 for ; Fri, 21 Mar 2003 01:28:14 -0800 (PST) Received: from kumprang.or.id (kumprang.or.id [202.143.103.227]) by mx1.FreeBSD.org (Postfix) with SMTP id B2ABB43F85 for ; Fri, 21 Mar 2003 01:28:03 -0800 (PST) (envelope-from budsz@kumprang.or.id) Received: (qmail 14782 invoked by uid 1008); 21 Mar 2003 09:31:59 -0000 Date: Fri, 21 Mar 2003 16:31:58 +0700 From: budsz To: FreeBSD-Security Subject: Re: About *.asc Message-ID: <20030321093158.GA13920@kumprang.or.id> References: <20030321081451.GA13163@kumprang.or.id> <20030321082038.GC54854@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline In-Reply-To: <20030321082038.GC54854@pcwin002.win.tue.nl> X-URL: "http://www.kumprang.or.id/~budsz/" X-Pubkey: "http://www.kumprang.or.id/~budsz/pubkey.txt" X-Pubkey-MD5: "http://www.kumprang.or.id/~budsz/pubkey-checksum.md5" X-Finger-Print: "A05A 268C 3CD4 ABBD D9EB 11E1 F64C 4B4E 6269 5304" X-Organization: "Internet Cafe and Game PC Kumprang" User-Agent: Mutt/1.5.3i X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 21, 2003 at 09:20:38AM +0100, Stijn Hoop wrote: >You need to tell gpg that you trust the fact that that key is indeed the o= ne >that the people at FreeBSD use to sign the advisory. > >In other words, gpg has verified that the digital signature was not tamper= ed >with, but there is no way for gpg to know whether it was really the FreeBSD >security officer key -- anyone can create a key saying that they are the >security officer. > >You can verify that it is the correct key by comparing the fingerprint to a >trusted source of fingerprints. The most secure solution is to go up to the >security officer in person and compare the key fingerprints by hand, but t= his >is of course not practical. For most purposes it is enough to compare the >fingerprint with the one on the web at > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html#PGP= KEYS-OFFICERS > >But it's up to you to assign a level of trust in these procedures (how sec= ure >is the FreeBSD web site? etc). > >To tell gpg that you trust that this is the key used by the FreeBSD office= r: > >$ gpg --edit-key security-officer@freebsd.org > >enter 'trust' and then e.g. '4'. Thanks for your advice, I was import gpgkey in http://www.freebsd.org/doc/pgpkeyring.txt, then I try to: $ gpg --edit-key security-officer@FreeBSD.org gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: checking the trustdb gpg: checking at depth 0 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 pub 1024R/73D288A5 created: 1996-04-22 expires: never trust: f/- (1) FreeBSD Security Officer (2). FreeBSD Security Officer (Deprecated key) Command> trust pub 1024R/73D288A5 created: 1996-04-22 expires: never trust: f/- (1) FreeBSD Security Officer (2). FreeBSD Security Officer (Deprecated key) Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources...)? 1 =3D Don't know 2 =3D I do NOT trust 3 =3D I trust marginally 4 =3D I trust fully 5 =3D I trust ultimately m =3D back to the main menu Your decision? 4 pub 1024R/73D288A5 created: 1996-04-22 expires: never trust: f/- (1) FreeBSD Security Officer (2). FreeBSD Security Officer (Deprecated key) Command> save Key not changed so no update needed. This's some problem? But if I try again: $ gpg --verify xdr-4.patch.asc gpg: Signature made Thu Mar 20 08:09:54 2003 WIT using DSA key ID CA6CDFB2 gpg: Good signature from "FreeBSD Security Officer " gpg: checking the trustdb gpg: checking at depth 0 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owne= r. Primary key fingerprint: C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C DFB2 WARNING message still appeare. how to resolv this? TIA --=20 budsz --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+etwO9kxLTmJpUwQRAsxLAKC0RH0mag5KFQV5ja6ga3ri2bvvOgCcC2i+ OE66RtVKd9cj7wF6ujzXsoY= =UayR -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message