Differences

This shows you the differences between two versions of the page.

--- blug-canary-1 [2020/02/21 02:09]
persmule old revision restored (2020/01/31 09:14)
+++ blug-canary-1 [2025/10/31 11:56] (current)
BLUG Admin
@@ Line 15: / Line 15: @@
 ====================================
-Issued for January 2020.
+Issued for October 2025.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 24: / Line 24: @@
 * biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
+* persmule : 0x7636112A33805777A0646B1BFA7C50B699AC61D2
-* wnereiz  : 0x0A6A91990AC98712274AA18DFDFF2E13AA25BE72
+* vimacs   : 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403
 THREE DOCUMENTS IN TOTAL.
@@ Line 70: / Line 70: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of March 2020. Special note should be taken if no new canary is published
+weeks of December 2025. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
+. Due to the ongoing security issues of OpenPGP keyservers, it makes signature
+verification an issue and somewhat a challenge. For completeness, complete
+procedures for canary verification is included here.
 Special Announcements
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Since mid-October, persmule's old signing key 0x2987A25DAC8454A5 has
+None.
-expired. A new key, 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60, has been
-created and uploaded to https://keys.openpgp.org/, it can be obtained from
+Canary Verification Procedures
-this keyserver.
+~~~~~~~~~~~~~~~~~~~~~~~~
+. To verify biergaizi's signature...
+    a. Obtain the public key from any traditional OpenPGP Keyserver, such as
+    https://keyserver.ubuntu.com, and import the public key. The fingerprint
+    is 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D.
+    b. Use the latest GnuPG in any operating system.
+. To verify persmule's signature...
-. The new key will be used by persmule to sign future warrant canary
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-documents. You can verify the signature by crosschecking the other two
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-documents signed by biergaizi and wnereiz for consistency.
+    the standard method, it's impossible to import a OpenPGP public key without
+    User-ID. But since April 2013, we have developed a workaround, described
+    below.
-. Due to this key rollover, the October message was not signed by persmule.
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-This did/does not indicate a security incident, all of the statements above
+    such as https://keyserver.ubuntu.com, and import the public key. The
-were valid, and are still valid.
+    fingerprint is 0x7636112A33805777A0646B1BFA7C50B699AC61D2. Note that, to
+    import this key, one must copy and paste the key in ASCII from the Keyserver
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-. Recent attacks on OpenPGP keyservers have raised great security concerns
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-within the community, as a countermeasure, persmule's personal User-ID has
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-not published to the https://keys.openpgp.org/ keyserver. Instead, only
+    E-mail address, "Kikek <othar7ok@ep2quey.invalid>"). Its sole purpose is
-cryptographic information can be obtained from the keyserver, without any
+    allowing the subsequent import of additional subkeys.
-User-ID. Currently, it's impossible to import a OpenPGP public key without
-User-ID to a standard GnuPG installation, as a result, it's not possible
-for a 3rd-party to verify the canary document signed by persmule.
-. We are looking for a solution. But for now, we decided that the best
+    d. Next, with the stub key already imported, obtain the public key from
-option is starting publishing new canary documents using the new key.
+    https://keys.openpgp.org using the same fingerprint, and import this key.
-As a temporary measure, you can check the canary documents signed by
+    Because the dummy key with its stub User-ID is already in presence, it's
-biergaizi and wnereiz to decide the validity of the Statements. By signing
+    now possible to import the https://keys.openpgp.org public key directly.
-their own copies, it indicates that the new key has been verified privately
-by them as valid.
-. This effectively reduced the number of signers to two people. It reduces
+    e. Use the latest GnuPG in most operating system, the signatures made by
-the level of confidence, but currently there is no alternative option yet.
+    persmule's key can now be verified as usual.
-. Once the technical problem of OpenPGP public key without User-ID is
+. To verify vimacs' signature...
-resolved, you can check the previous signatures retroactively, and this
-would effectively restore the level of confidence. You can archive
-persmule's signature as soon as it's published to your own machine to
-ensure no data tampering has occured.
-. Unlike persmule, biergaizi and wnereiz's signing keys are unchanged,
+    a. Obtain the public key from any traditional OpenPGP Keyserver, such as
-but the Key-IDs have been changed to its full fingerprint format in the
+    https://keyserver.ubuntu.com, and import the public key. The fingerprint
-canary document for clarity.
+    is 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403.
-. When new information is available, it will be published in the "Special
+    b. Use the latest GnuPG in any operating system.
-Announcements" section in future warrant canary documents.
 Proof of Freshness
@@ Line 124: / Line 134: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- The Briefing: Sign up for two-minute audio news updates on WhatsApp, Apple, Spotify and Alexa twice a day
+ Ukraine: The Latest - the worlds most trusted and award-winning podcast on the war
- Coronavirus infection: everything you need to know about the outbreak from China
+ Teenagers arrested after nursery cyber attack
- Groundhog Day: how the Punxsutawney Phil prediction at Gobbler's Knob forecasts the weather
+ Blizzard traps nearly 1,000 hikers on slopes of Mount Everest
- Friday morning news briefing: Brexit Day - 'dawn of a new era'
+ BBC Breakfast boss cleared of bullying allegations
- Coronavirus declared a global emergency: in pictures
+ Northern Lights shine across the UK
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Coronavirus Live Updates: U.S. Issues Red Alert After Week of Skyrocketing Infections
+ Xi Delivers Veiled Warning to Nations Not to Take the U.S.s Side
- Britains Brexit Shrug: Just Get On With It
+ Ukraine Gamifies the War: 40 Points to Destroy a Tank, 12 to Kill a Soldier
- Battered at the Polls, Pro-Europe Britons Gird for the Next Fight
+ Prince Andrew to Be Stripped of His Royal Title
- More Violence. Fewer Prisoners. Inside Mexicos Criminal Justice Reform.
+ Executions and Mass Casualties: Videos Show Horror Unfolding in Sudan
- As Coronavirus Spreads, So Does Anti-Chinese Sentiment
+ Jamaica Prepared a Financial Fortress for Disaster. Hurricane Melissa Will Test It.
 $ date -R -u
-Fri, 31 Jan 2020 09:13:13 +0000
+Fri, 31 Oct 2025 11:54:19 +0000
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAl4z77MACgkQ+tPrBeiO
+iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmkEo50ACgkQ+tPrBeiO
-jW2QVg/+IqkB65Pz4DFLsOKkSvNIv/prByL/SEhDe5SVNH1Z32yTrLkvQTU27rZx
+jW2NTw/+NQ+pMcK/6NBH4D+lXa4ovbNKcyPi6+mJm36Jqg7sO835aYMLzGhe0fXv
-RMDFFtbq/QSv7psi90sc4PmHruFkAecrg7+BdkmF5v9ytban62GuP8R0JAvicyw1
+YYG9ySE7/Gi7H4gmFj4US1FJzWI7RgXeJuvwI+G12Qecaa2rO7eun6Xorw0/K/1j
-b+lCu6QW2oOtzDdqibLYh7x6V24ffd2Ts0JpLCbYFyER3iS4i+ktHAD6sZTMQ0F3
+UbXfiHwZEBEM7oqPhZfxQWRKN4BUuVlaUgZh14eAbZhy34yP6iUG3zPk65ZDOHvp
-J2vlftonL2CyddeiqBlsZ/xKiHuMFRt22qUythpp3j5E86VmaPddKcZKiaqaJZ5K
+NP+BCYc2daIzgGiWfW54DljuLgY5l8BQUatgeYddvZ+QcZjLb2D1BuTHwKV9SDKW
-Fm7QswORB5B9xzSliaVj5yi3lCwwcievaacKwWJ04fm4WUhvzG4a2eTCUZWFYMuZ
+DhwRO3rnmuByaIgcM3mhBKoOwhS+hHxupRD1/KQn+iuilstUF/4QVeakcMS2OgNc
-+o0/tEwAoglO6FIgC0sTk9J5DIOOM0/tp/hsLrQlPspaK65xeJv/HE0XJPO5l3s
+O22e5TEpIXNpESftl2aUOZeycOJF6aAKCPBVAU3dWsZlXLOnWKyN7KZ+r+pKuTFI
-gjmijxFo5iLXDGq59xhs0+hxgH0RwwADbebHku/l2a46Sjq4jp0SrQMm5n7NQ5r
+MDhjMHQVP7eAlM5Bpw/CijOiXKYY0IyHnYjsIlj1A9bBDsJ0NDcET+i4ua6BKSQq
-GdmazDt5cUhm6jjTDEYflc0MADvCfdKHNHAhsJaE/5+jeQKv6V/EVbCEgrnxv10
+IoQ5LQPR1JswtjWIenbKDpCEvqQX2l28Al/L2WVpVGK/i/kArBfAhHGJcuUmYU1K
-NZhR4ihkqdSPMO30sGvH4dEEhAi/fEVDPlQvA49jG+qmUxI9H875my99KEa/W8jY
+csGvgxttlDS1jX+30rqrntPJMa+rvLojyhCRPOtsG4FXriftC8b9CK2EHRIxZG2v
-w8/QjJBkkaeZBQXnFl8g1EHRoMeCLC2aePTWcM9Kd6y09rhX3g1+w32OI+I+vCH
+cbXu4g8mAx/vIpjbC/IueIGrS9vE4D+ALYycsqJjwDWMLILEFXwRF10QkaRKkVe
-xK73HZQDgVnxpJlZPpWgn837wu284opkMkib+1RhsvFx3mCbrqw=
+pmE8c17pRygVVhOB6o38ur/s0nMTxrGB21kCflznxNzGSFPuh3k=
-=5Vba
+=uBfv
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools