This page (http://www.openwall.com/signatures/) is the place to get the current PGP keys that you can use to verify signatures on software you can obtain from openwall.com, its mirrors, and the Owl download mirrors.
Note that a valid signature does not guarantee that this website itself hasn't been compromised. Keep in mind that if this website ever gets compromised, an intruder would be able to replace the public keys posted here, not just a software package they might want to backdoor. For greater assurance, verify signatures on the key itself and/or use a copy of the key that you had for long enough for a possible website compromise to be likely detected - yet check this web page once in a while for information on a possible key compromise and/or replacement.
Type Bits/KeyID Date User ID pub 1024/295029F1 1999/09/13 Openwall Project signatures Key fingerprint = 0C 29 43 AE 1E CD 24 EA 6E 0C B6 EE F5 84 25 69
pub 4096R/8B4EDA79 2011-01-30 Key fingerprint = 81DD BD61 4603 A7A6 6C91 9E62 96D5 CD8C 8B4E DA79 uid Openwall GNU/*/Linux online signing key sub 4096R/2ACC5A7C 2011-01-30
Please note that we use only the "main" key to sign anything downloadable directly from this website. We also use it on some other occasions (e.g., to sign major Owl releases).
We use the "online" key for signing some *.mtree files for Owl snapshots, which are typically generated and signed on our development server. Thus, these signatures provide less assurance than those made with the "main" key do. We estimate that the "online" key is more likely (than our "main key") to get compromised (through the corresponding private key leaking to an intruder from a server).
The primary use for signatures made with the "online" key is for you to be able to verify that your Owl downloads (which are typically made from mirrors and via "insecure" protocols) haven't been tampered with as compared to the files stored on our mirrors feed. (For those familiar with Linux kernel downloads from kernel.org, our "online" key is similar to "Linux Kernel Archives Verification Key" in the way we're using it and in the level of assurance it provides.)
Powered by Openwall GNU/*/Linux - Powered by OpenVZ