Silk Road forums
Discussion => Security => Topic started by: luvdak on February 25, 2013, 07:21 pm
-
Hello fellow SR peeps.
I verified the signature on dee.su's website for the self-bootable ISO and the signature doesn't match the PGP key. I downloaded the ISO and the ASC sig from sourceforge and the link was straight from the dee.su website.
Here's the output from the fingerprint command :"pub 2048D/B37D8D87 2010-10-11 [expires: 2015-10-10]
Key fingerprint = E983 5D5C 4252 A3EB E0D2 2D07 FAD1 6647 B37D 8D87
uid Maxim Kammerer <mk@dee.su>
sub 2048g/BDE7F956 2010-10-11 [expires: 2015-10-10]"
B37D8D87 is the key ID, this is verifiable on his website.
Here's the output when trying to verify "gpg --verify /home/user/liberte-2012.3.iso.asc /home/user/liberte-2012.3.iso
gpg: Signature made Fri 31 Aug 2012 11:42:29 PM MDT using DSA key ID 81DE1001
gpg: Can't check signature: public key not found"
This means the person who signed has a different key then Mr. Liberte. I'd like someone else to verify, but I believe this would qualify as a bloody red flag.
Please comment, please prove me wrong. I'd really like to be wrong on this but I don't see how, I was able to verify the most recent sig and file from the tor bundle so I know I'm doing it right.
-
Hello fellow SR peeps.
I verified the signature on dee.su's website for the self-bootable ISO and the signature doesn't match the PGP key. I downloaded the ISO and the ASC sig from sourceforge and the link was straight from the dee.su website.
Here's the output from the fingerprint command :"pub 2048D/B37D8D87 2010-10-11 [expires: 2015-10-10]
Key fingerprint = E983 5D5C 4252 A3EB E0D2 2D07 FAD1 6647 B37D 8D87
uid Maxim Kammerer <mk@dee.su>
sub 2048g/BDE7F956 2010-10-11 [expires: 2015-10-10]"
B37D8D87 is the key ID, this is verifiable on his website.
I don't know where you're getting your info about that being the correct Key ID - where exactly do you see it on the website?
According to
CLEARNET--> http://dee.su/liberte-install
Under "Authenticity" it says all releases are signed with key 81DE1001, which is also the key ID indicated by your gpg output.
Here's the output when trying to verify "gpg --verify /home/user/liberte-2012.3.iso.asc /home/user/liberte-2012.3.iso
gpg: Signature made Fri 31 Aug 2012 11:42:29 PM MDT using DSA key ID 81DE1001
gpg: Can't check signature: public key not found"
The problem seems to be you have not imported the correct key ID (81DE1001) to your gpg program.
-
Oops I got a little dyslexic ;)
It was his public key from the **Clearnet:https://zimmermann.mayfirst.org/pks/lookup?op=get&search=0xE9835D5C4252A3EBE0D22D07FAD16647B37D8D87**
So from my output " pub 2048D/B37D8D87 2010-10-11 [expires: 2015-10-10]
Key fingerprint = E983 5D5C 4252 A3EB E0D2 2D07 FAD1 6647 B37D 8D87
uid Maxim Kammerer <mk@dee.su>
sub 2048g/BDE7F956 2010-10-11 [expires: 2015-10-10]" The ID is B37D8D87.
Therefor the output ""gpg --verify /home/user/liberte-2012.3.iso.asc /home/user/liberte-2012.3.iso
gpg: Signature made Fri 31 Aug 2012 11:42:29 PM MDT using DSA key ID 81DE1001
gpg: Can't check signature: public key not found" The file was signed with ID 81DE1001 which is not the ID B37D8D87 as you mentioned was the one listed on the website.
I also downloaded these files from the links on the dee.us website, which linked to the sourceforge files from the Liberte account. So the Key doesn't match the signature give on the latest ISO download.
-
So problem solved, right?
His key shouldn't match the signature on the download unless his key is specified as the one their releases are signed with. Copy/paste this into a terminal and hit enter:
gpg --keyserver hkp://keys.gnupg.net --recv-keys 81DE1001
This will import the 81DE1001 key to your gpg keyring. That's their software signing key. You can check the key's integrity with the command:
gpg --list-sigs 81DE1001
This shows the keys that have signed that key include Maxim Kammerer's B37D8D87 key. It looks perfectly legitimate. Now use the verify command again to check the liberte download.
-
So problem solved, right?
His key shouldn't match the signature on the download unless his key is specified as the one their releases are signed with. Copy/paste this into a terminal and hit enter:
gpg --keyserver hkp://keys.gnupg.net --recv-keys 81DE1001
This will import the 81DE1001 key to your gpg keyring. That's their software signing key. You can check the key's integrity with the command:
gpg --list-sigs 81DE1001
This shows the keys that have signed that key include Maxim Kammerer's B37D8D87 key. It looks perfectly legitimate. Now use the verify command again to check the liberte download.
Thanks, I just got back on the website and I was going off of MK's key and thought his was Liberte's. The main dee.us just has his key, I think it should include both; the summary page has the signature for the liberte@dee.su instead of MK@dee.su. After clicking on the installation page I saw the other key staring me in the face LOL Derp, feel like a tard. Although I do think he should list the PGP on the summary page before or somewhere around the signatures.
Thanks for the commands, those will come in handy :)