-
Notifications
You must be signed in to change notification settings - Fork 66
/
maradns.gpg.key.HOWTO
66 lines (40 loc) · 2.15 KB
/
maradns.gpg.key.HOWTO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
I will detail how MaraDNS users can trust the GPG key MaraDNS has, and
use this GPG key to verify a given release of MaraDNS.
There has been, ever since the 1.0 release of MaraDNS in 2002, two
different GPG keys used:
* A 1024-bit DSA key used from 2001 until 2012
* A 2048-bit RSA key in use since 2012
The 2012 key has been signed with the 2001 key. The 2001 key can be
trusted because it has been in use for a long time. Not only is it
still included in every single MaraDNS release, it has been included in
releases since 2001. Its pretty easy to verify that, say, a 2002
release of MaraDNS was using the same 1024-bit key new releases are
included with:
https://web.archive.org/web/20020803040619/http://www.maradns.org/download.html
http://sourceforge.net/projects/maradns/files/MaraDNS/1.0.00/
The DSA key has a key ID of 1E61FCA6 and the following fingerprint:
D167 252A 18BC D011 7CB4 6CA8 0BE8 D6AE 1E61 FCA6
Note that this fingerprint can be verified by looking at multiple
mailing list postings over the years, e.g.:
https://marc.info/?l=maradns-list&m=101195132232108&w=2
Both MaraDNS GPG keys are also available on the MIT GPG key server:
http://pgp.mit.edu/pks/lookup?search=MaraDNS&op=index
The 2048-bit RSA key has a key ID of 6D150805 and the following
fingerprint:
A96E 30DD A360 FC63 42B2 D9AB 5FF4 96D1 6D15 0805
This key can be verified because it is signed by the older DSA key:
gpg --list-sigs 6D150805
Both keys can also be verified because they were the same keys in
2015:
https://web.archive.org/web/20150922220611/https://samiam.org/blog/2015-05-27.html
==Using GnuPG==
One issue is that GPG is not the easiest program to use. To add the
MaraDNS keys to ones GPG keyring, enter the MaraDNS top-level
directory and then:
cat maradns.gpg.key.old | gpg --import
cat maradns.gpg.key | gpg --import
To verify a signed file, do something like:
gpg --verify maradns-2.0.11.tar.bz2.asc maradns-2.0.11.tar.bz2
Verifying a key fingerprint:
gpg --fingerprint {ID}
Where {ID} is the ID of the key we wish to view the fingerprint of.