Re: [OT] GnuPG / PGP signed MD5 checksums
От | wsheldah@lexmark.com |
---|---|
Тема | Re: [OT] GnuPG / PGP signed MD5 checksums |
Дата | |
Msg-id | OF99CAA311.BD60A054-ON85256CA6.00562E67@lexmark.com обсуждение исходный текст |
Ответы |
Re: [OT] GnuPG / PGP signed MD5 checksums
(greg@turnstep.com)
|
Список | pgsql-general |
I just started using GPG about a month ago, and am still trying to figure out how to establish trust in cases where it's not practical to verify a person's identity in person. In this case, how do I know that the message is signed by the real Greg Mullane, and not by some cracker who made up his own GPG key with Greg's name attached to it and forged an email signed by this fake key? And who also replaced one or two of the source files with a trojaned version, and is publishing the md5's for the trojaned version via this email? Having the fingerprint in the same email message doesn't help that much; perhaps if the signer's fingerprint were on another server, independent of the one holding the files to download? That would at least require an attacker to compromise two separate servers to fool people taking the time to verify. I don't have any reason to suspect that there's any actual attack underfoot. Just trying to figure out the right way to use GPG encryption to tell when there is one. I do think that GPG or similar cryptographic verification should be used more widely than it is, for security and peace of mind. Wes Sheldahl "Greg Sabino Mullane" <greg@turnstep.com>@postgresql.org on 01/06/2003 10:25:47 AM Sent by: pgsql-general-owner@postgresql.org To: pgsql-general@postgresql.org, pgsql-announce@postgresql.org cc: Subject: [GENERAL] GnuPG / PGP signed MD5 checksums for PostgreSQL 7.3.1, 7.3, and 7.2.3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message contains a cryptographic verification of the source code (and some rpms) for PostgreSQL. This does not guarantee that the content of the code, but does guarantee that I calculated the checksums of the files at a certain point in time. (see date at the bottom). The MD5s should match the ones on the mirrors, with the exception of the rpms, which do not come with external checksums. Instead of signing each file with GnuPG, I have signed this message, which contains the MD5 checksums for each file in the 7.3.1, 7.3, and 7.2.3 branches. The checksums are in a normal md5sum format, so you should be able to run md5sum -c against this message. See the man page for the program "md5sum" to learn how to create and verify the checksums, and visit http://www.gnupg.org for more information about how to use GnuPG and how to verify this (and other) messages using PGP. MD5 checksums for PostgreSQL version 7.3.1 source code: 924b21c3114f595834e2456277f1bffb postgresql-7.3.1.tar.gz d31f4be7ada55e4914d1a9134e4441c7 postgresql-base-7.3.1.tar.gz 42384cb2ded505243878231acb779bd6 postgresql-docs-7.3.1.tar.gz 65e3db9df55b71b504a2f385da231de8 postgresql-opt-7.3.1.tar.gz 8f231ca3470f3be6b33e1def77dcf7fc postgresql-test-7.3.1.tar.gz ( more md5sum's snipped ) Greg Sabino Mullane greg@turnstep.com Key fingerprint = 2529 DF6A B8F7 9407 E944 45B4 BC9B 9067 1496 4AC8 PGP Key: 0x14964AC8 200211301125 EICS-H: -D 0e26986990b888fa7b70a291412f974c32b974a0 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iD8DBQE+GaGrvJuQZxSWSsgRAkG9AJwLTxwkeXsMfg0zeORTEIv/Z35oxQCglvaT nWugu1qT+uvxuJBZT+5fQ8Q= =8HF6 -----END PGP SIGNATURE----- ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org
В списке pgsql-general по дате отправления: