grsecurity forums

Hey,

so I got some trouble verifying the authenticity of the GPG key. Your page [0] states, that the following values should be expected for your GPG key

Code: Select all

Bradley Spengler (spender) <spender at grsecurity dot net>
Fingerprint: DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49
Signed by: 39F081BF The PaX Team <pageexec at freemail dot hu>


So I imported the key you mentioned, verified the fingerprint and up to there everything is fine (yeah!)!

Code: Select all

$ gpg --import spender-gpg-key.asc
gpg: key 2525FE49: public key "Bradley Spengler (spender) <spender@grsecurity.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
$  gpg --fingerprint 2525FE49
pub   4096R/2525FE49 2013-11-10
      Key fingerprint = DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49
uid                  Bradley Spengler (spender) <spender@grsecurity.net>
sub   4096R/3F57788A 2013-11-10


But when I verify the signees, the results differ:

Code: Select all

$ gpg --list-sigs 2525FE49
gpg --list-sigs 2525FE49
pub   4096R/2525FE49 2013-11-10
uid                  Bradley Spengler (spender) <spender@grsecurity.net>
sig 3        2525FE49 2013-11-10  Bradley Spengler (spender) <spender@grsecurity.net>
sig          4245D46A 2013-11-10  [User ID not found]
sub   4096R/3F57788A 2013-11-10
sig          2525FE49 2013-11-10  Bradley Spengler (spender) <spender@grsecurity.net>


The signature is from keyID 4245D46A but should be 39F081BF.

So I downloaded the 4245D46A key (which apparently is also from Bradley Spengler) and looked on the signatures there. And guess what, the requested signature is on that key.

Code: Select all

$ gpg --fingerprint 4245D46A
pub   1024D/4245D46A 2002-12-02
      Key fingerprint = 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
uid                  Bradley Spengler (spender) <spender@grsecurity.net>
sub   2048g/271E4404 2002-12-02
$ gpg --list-sigs 4245D46A | grep -C 3 39F081BF
pub   1024D/4245D46A 2002-12-02
uid                  Bradley Spengler (spender) <spender@grsecurity.net>
sig          39F081BF 2002-12-02  The PaX Team <pageexec@freemail.hu>
sig          7F5501AC 2002-12-02  [User ID not found]
sig          0F9D37E2 2002-12-24  [User ID not found]
sig          8C38A90A 2003-03-01  [User ID not found]


Could you please update your information on [0]? Thanks!

[0]At the bottom "Verify these downloads with GPG" https://grsecurity.net/download.php

The information on the site is correct. What file did you download that used the signature you mentioned? Any files from November 2013 of last year till now would be using the updated signature, and from what I can see there should be no files downloadable from /download.php that are signed with the old key (the key you're talking about).

-Brad

spender wrote:The information on the site is correct. What file did you download that used the signature you mentioned? Any files from November 2013 of last year till now would be using the updated signature, and from what I can see there should be no files downloadable from /download.php that are signed with the old key (the key you're talking about).

I used the key mentioned on the download site "You can download the key used to sign these files here" [0].

[0] https://grsecurity.net/spender-gpg-key.asc

I see, you were complaining about not seeing the PaX Team's signature when downloading the key from the website. If you did a --recv-keys on the fingerprint of the key you downloaded from the website, then did a --list-sigs on that, you'd see the fingerprint of the PaX Team's key. I've updated the key on the website so that it includes it without any additional steps.

-Brad

spender wrote:I see, you were complaining about not seeing the PaX Team's signature when downloading the key from the website. If you did a --recv-keys on the fingerprint of the key you downloaded from the website, then did a --list-sigs on that, you'd see the fingerprint of the PaX Team's key.

Exactly!

spender wrote:I've updated the key on the website so that it includes it without any additional steps.

Awesome! It work's now! Thank you, and keep up the good work!