Differences

This shows you the differences between two versions of the page.

--- blug-canary-3 [2023/02/28 13:42]
vimacs
+++ blug-canary-3 [2023/11/19 08:33]
vimacs
@@ Line 7: / Line 7: @@
 ====================================
-Issued for February 2023.
+Issued for November 2023.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 62: / Line 62: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of March 2023. Special note should be taken if no new canary is published
+weeks of December 2023. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 72: / Line 72: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-None.
+. We've found a workaround for importing keys on https://keys.openpgp.org
+without User-ID. The instructions for verifying persmule's signatures have
+been added.
 Canary Verification Procedures
@@ Line 87: / Line 89: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
+    e. Use the latest GnuPG in most operating system, the signatures made by
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
 . To verify vimacs' signature...
@@ Line 118: / Line 132: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Secondary National Offer Day 2023: What to do if your child misses out on their first choice
+ Norfolk ramblers' battle against barrier blocking historic footpath
- Rare beauty: Northern Lights dazzle UK horizons from Liverpool to Kent
+ Revealed: All the pro-Palestine protests taking place across UK
- Trans rapist Isla Bryson told 'you are not the victim' by judge before being jailed
+ Friday evening news briefing: Hamas military system nearly dismantled in northern Gaza, says Israel
- Missing Constance Marten and partner arrested as search launched for her baby
+ One in ten young people too sick to work full-time
- Ian Fleming would have wanted Bond books to be edited, estate says
+ Thursday evening news briefing: Six in 10 voters agree with Braverman
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Blinken Urges Ex-Soviet States to Keep Distance From Russia
+ Israel-Hamas War Turns Gaza Into a Graveyard for Children
- Europe Struggles to Find Leopard 2 Tanks for Ukraine
+ The Invisible War in Ukraine Being Fought Over Radio Waves
- Sunak Hopes to Move Past Brexit, at Long Last, With E.U. Deal
+ In Hitlers Birthplace, Soul-Searching Over a Poisonous Past
- China Moves to Erase the Vestiges of Zero Covid to Deter Dissent
+ Taylor Swift Fan Falls Fatally Ill at Brazil Concert Amid Heat
- Hong Kong Mask Mandate, One of Worlds Last, Will End
+ Israel-Hamas War: U.N. Says Gaza Hospital Has Become Death Zone
 $ date -R -u
-Tue, 28 Feb 2023 13:40:39 +0000
+Sun, 19 Nov 2023 08:31:54 +0000
 -----BEGIN PGP SIGNATURE-----
-iHUEARYKAB0WIQRlsdhNDMVQSujfnGCovW2B2flWVAUCY/4EhQAKCRCovW2B2flW
+iHUEARYKAB0WIQRlsdhNDMVQSujfnGCovW2B2flWVAUCZVnIDAAKCRCovW2B2flW
-VBeKAQCyeECTnWDjs8QStN6SXk0FBbJQ5h1QyVem5T0CdG0zBgD/e9wDVCZcmfMs
+VHH+AP0SNuEB2gweHXO+KKbqi2Dbb6vRLF/kYV4wnkGV5VXesQD/asLZS+E2aX5F
-tRowkwJQAQlIysJKzslb95zHZz6bEQE=
+VjUkVmGiLaJoqp6FWBF2IbwEd5mfAM=
-=fBcI
+=sTtU
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools