Re: [Exim] OpenPGP signatures on Exim releases

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Yann Golanski
Date:  
À: exim-users
CC: Florian Weimer
Sujet: Re: [Exim] OpenPGP signatures on Exim releases
Quoth Philip Hazel on Wed, Oct 09, 2002 at 11:51:29 +0100
> On Wed, 9 Oct 2002, Florian Weimer wrote:
> > In the wake of the recent trojans, it might be a very good idea to
> > cryptopgraphically sign Exim source code releases (and the release
> > announcements).
>
> For many years I have published the MD5 checksums with every
> announcement.


Sadly it does not seem to be the case anymore. However, just signing the
MD5 will be enought.

> Do you need more? If so, it will take time for me to obtain, install,
> learn about, and use cryptographic signing software. Not to mention
> organizing the appropriate keys.


The problem with both the Sendmail and Openssh trojans that the core
servers were compromise and the hacker was able re-created the MD5 using
his own wormed copy of the software.

If you want to use GPG, then signing is really easy once you have a key:

$ gpg --gen-key
[... follow what it says ...]
$ gpg -sb file
[creates a file.sig which is the signature]
$ gpg --verify file.sig file
[verifies the signature]

Of course, we will all need to get your public key...

--
yann@???                  -=*=-                      www.kierun.org
    PGP:   www.kierun.org/pgp/key-kierun
    PGP:   009D 7287 C4A7 FD4F 1680  06E4 F751 7006 9DE2 6318
    IRC:   nick kierun, server spod.uk.amiganet.org, channel #sanctus