[OTR-users] Problem with signature file?
Andy Roberson
gosooners2091 at gmail.com
Thu Feb 13 11:07:27 EST 2014
Daniel,
Thanks for the informative reply.
I am not able to import the key from
https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc onto my keyring,
so the gpg --verify command isn't working for me yet. I was able to
identify the signature used to encrypt the file, and import that one.
But I presume that really isn't verifying anything other than the fact
the file is properly signed by "someone".
Shouldn't the below sequence result in the public key being imported to
my keyring, instead of the "no valid OpenPGP data found." message at the
end?
daddy at HTPC-ubuntu:~/Desktop$ ll
total 460
drwxr-xr-x 2 daddy user 4096 Feb 13 09:04 ./
drwxr-xr-x 51 daddy user 4096 Feb 13 08:17 ../
-rw-r--r-- 1 daddy user 459591 Feb 12 23:22 pidgin-otr-4.0.0.tar.gz
daddy at HTPC-ubuntu:~/Desktop$ wget
https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc
--2014-02-13 09:04:48--
https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc
Resolving otr.cypherpunks.ca (otr.cypherpunks.ca)... 198.96.155.5
Connecting to otr.cypherpunks.ca
(otr.cypherpunks.ca)|198.96.155.5|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 190 [text/plain]
Saving to: `pidgin-otr-4.0.0.tar.gz.asc'
100%[=====================================================================================================================================================================>]
190 --.-K/s in 0s
2014-02-13 09:04:49 (9.21 MB/s) - `pidgin-otr-4.0.0.tar.gz.asc' saved
[190/190]
daddy at HTPC-ubuntu:~/Desktop$ gpg --import pidgin-otr-4.0.0.tar.gz.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
So, does this mean there is some syntax error or improper formatting on
the ASC file at https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc???
Thanks,
Andy
On 02/13/2014 12:21 AM, Daniel Kahn Gillmor wrote:
> On 02/13/2014 12:53 AM, Andy Roberson wrote:
>
>> I downloaded OTR for GNU/Linux from
>> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.
>>
>> I also downloaded the sig file from
>> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc
>
> if these two files are in the same directory, you can verify the
> signature with:
>
> gpg --verify pidgin-otr-4.0.0.tar.gz.asc
>
> Note that you will be unable to verify it if you don't have the "OTR Dev
> Team" OpenPGP key in your local keyring (you'd see a message like "Can't
> check signature: public key not found"). You should be able to fetch
> that key to your local keyring with the following one-liner:
>
> gpg --keyserver pool.sks-keyservers.net \
> --recv 0x576979E7D0CAB38C7AA3DDBDDED64EBB2BA87C5C
>
> Then try the verification again.
>
> Unfortunately, the key used for signing here is a 1024-bit DSA key,
> which is no longer considered by many folks to be acceptable for
> long-term signatures (this signature scheme was deprecated by NIST back
> in 2010).
>
> otoh, OTRv3 itself only uses 1024-bit DSA signatures for its
> authentication (and a 1536-bit discrete log DH handshake for the initial
> key exchange, which is only marginally better than 1024-bit DSA), so i
> suppose a weak signature on the source tarball doesn't make things too
> much worse than they already are.
>
> OTR devs, are there any plans afoot to move to stronger keys, either for
> source distribution or for OTR itself? If so, what are they?
>
> Regards,
>
> --dkg
>
--
Thanks,
Andy
Support online privacy by sending encrypted email when possible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xC40C4F93.asc
Type: application/pgp-keys
Size: 6103 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140213/0a05cafb/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140213/0a05cafb/attachment.pgp>
More information about the OTR-users
mailing list