NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2003-03

Re: About *.asc

From: Stijn Hoop (stijnwin.tue.nl)
Date: Fri Mar 21 2003 - 02:20:38 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 21, 2003 at 03:14:51PM +0700, budsz wrote:
> I was search in web resource about this problem, mailing list etc, today
> I get some advisory from FreeBSD security about trouble, so I try to verify
> the *asc:
>
> $ gpg --verify xdr-5.patch.asc
> gpg: Signature made Thu Mar 20 08:10:01 2003 WIT using DSA key ID
> CA6CDFB2
> gpg: Good signature from "FreeBSD Security Officer <security-officerFreeBSD.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: C374 0FC5 69A6 FBB1 4AED B131 15D6 8804 CA6C
> DFB2
>
> What happen about warning message, Would you give me some clue pls.

You need to tell gpg that you trust the fact that that key is indeed the one
that the people at FreeBSD use to sign the advisory.

In other words, gpg has verified that the digital signature was not tampered
with, but there is no way for gpg to know whether it was really the FreeBSD
security officer key -- anyone can create a key saying that they are the
security officer.

You can verify that it is the correct key by comparing the fingerprint to a
trusted source of fingerprints. The most secure solution is to go up to the
security officer in person and compare the key fingerprints by hand, but this
is of course not practical. For most purposes it is enough to compare the
fingerprint with the one on the web at

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/pgpkeys.html#PGPKEYS-OFFICERS

But it's up to you to assign a level of trust in these procedures (how secure
is the FreeBSD web site? etc).

To tell gpg that you trust that this is the key used by the FreeBSD officer:

$ gpg --edit-key security-officerfreebsd.org

enter 'trust' and then e.g. '4'.

HTH,

--Stijn

--
If today is the first day of the rest of your life, what the hell was
yesterday?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+estWY3r/tLQmfWcRAq9aAJ9hhIb9qjoguQ2X8dM5SCCdIkVL1ACdG6n3
ENIF2bj70tXT35CWl4rxKjw=
=/YEc
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]