Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 30 Jan 2011 21:50:01 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: all new *.mtree files are now signed

Hi,

As some of you are aware, the *.mtree files for Owl trees distributed
via the FTP mirrors were always PGP-signed for Owl releases, but only
sometimes signed for Owl-current and -stable branch snapshots.  The
reason for this was that those snapshots were generated on a server,
which was unsuitable to upload our main signing key to (placing this key
at extra risk).

The obvious solution, which we've finally implemented today, was to
introduce a second keypair and use this one to sign the snapshot *.mtree
files.  The second public key is now available on the signatures page:

http://www.openwall.com/signatures/

It is called "Openwall GNU/*/Linux online signing key", and it is signed
with our main signing key.

The primary use for signatures made with the "online" key is for you to
be able to verify that your Owl downloads (which are typically made from
mirrors and via "insecure" protocols) haven't been tampered with as
compared to the files stored on our mirrors feed.  (For those familiar
with Linux kernel downloads from kernel.org, our "online" key is similar
to "Linux Kernel Archives Verification Key" in the way we're using it.)

The Owl-current snapshot currently on the mirrors feed (and already on
some mirrors) is signed with this key.

Since the intent is to always sign Owl snapshots from now on (in fact,
some of this is scripted), I've also updated the Owl upgrade
instructions with info on verifying the authenticity of downloads as an
"unconditional" step (previously, this was suggested as an option):

http://openwall.info/wiki/Owl/upgrade

As usual, any feedback is welcome.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ