[OTR-users] Problem with signature file?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 13 01:21:51 EST 2014
On 02/13/2014 12:53 AM, Andy Roberson wrote:
> I downloaded OTR for GNU/Linux from
> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.
>
> I also downloaded the sig file from
> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc
if these two files are in the same directory, you can verify the
signature with:
gpg --verify pidgin-otr-4.0.0.tar.gz.asc
Note that you will be unable to verify it if you don't have the "OTR Dev
Team" OpenPGP key in your local keyring (you'd see a message like "Can't
check signature: public key not found"). You should be able to fetch
that key to your local keyring with the following one-liner:
gpg --keyserver pool.sks-keyservers.net \
--recv 0x576979E7D0CAB38C7AA3DDBDDED64EBB2BA87C5C
Then try the verification again.
Unfortunately, the key used for signing here is a 1024-bit DSA key,
which is no longer considered by many folks to be acceptable for
long-term signatures (this signature scheme was deprecated by NIST back
in 2010).
otoh, OTRv3 itself only uses 1024-bit DSA signatures for its
authentication (and a 1536-bit discrete log DH handshake for the initial
key exchange, which is only marginally better than 1024-bit DSA), so i
suppose a weak signature on the source tarball doesn't make things too
much worse than they already are.
OTR devs, are there any plans afoot to move to stronger keys, either for
source distribution or for OTR itself? If so, what are they?
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140213/529e163b/attachment.pgp>
More information about the OTR-users
mailing list