Differences

This shows you the differences between two versions of the page.

--- blug-canary-1 [2020/06/26 10:55]
BLUG Admin
+++ blug-canary-1 [2025/12/30 03:35] (current)
BLUG Admin
@@ Line 15: / Line 15: @@
 ====================================
-Issued for June 2020.
+Issued for December 2025.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 24: / Line 24: @@
 * biergaizi: 0x255211B2395A5A3E0E48A0F1FAD3EB05E88E8D6D
-* persmule : 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60
+* persmule : 0x7636112A33805777A0646B1BFA7C50B699AC61D2
 * vimacs   : 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403
@@ Line 70: / Line 70: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of July 2020. Special note should be taken if no new canary is published
+weeks of January 2026. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
+. Due to the ongoing security issues of OpenPGP keyservers, it makes signature
+verification an issue and somewhat a challenge. For completeness, complete
+procedures for canary verification is included here.
 Special Announcements
 ~~~~~~~~~~~~~~~~~~~~~~~~
-. Due to personal reasons, wnereiz (0xFDFF2E13AA25BE72) voluntarily decided
+None.
-to quit from the warrant canary team and he is no longer a signer of the
-warrant canary documents since April 15th, 2020. All statements from the
-warrant canary documents before this date are still valid. This is an official
-decision that can be verified by checking the warrant canary document in April,
-signed by wneriez.
-. In the previously mentioned document designed by wneriez in April 2020,
-the date in its statements was mistakenly written as "April 15th, 2019",
-which was a typo, but cannot be changed due to the nature of digital signature.
-We declare that it's hereby corrected to "April 15th, 2020".
-. A new member, vimacs (0xEA2DB82FE04A9403) has became a new signer since this
-month. You can validate the new keys by cross-checking the other two copies of
-this document, signed by biergaizi and persmule.
-. Due to the ongoing security issues of OpenPGP keyservers, it makes signature
-verification an issue and somewhat a challenge. For completeness, complete
-procedures for canary verification has been added.
 Canary Verification Procedures
@@ Line 109: / Line 95: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0x7636112A33805777A0646B1BFA7C50B699AC61D2. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "Kikek <othar7ok@ep2quey.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
-. To verify vimacs' signature...
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
-    a. Due to the recent attacks on OpenPGP keyservers, vimacs has published
+    e. Use the latest GnuPG in most operating system, the signatures made by
-    the OpenPGP public key to https://keys.openpgp.org, again, without a User-
+    persmule's key can now be verified as usual.
-    ID. But it's possible for a 3rd-party to verify the signatures by following
-    these steps.
-    b. Use Debian GNU/Linux operating system and install GnuPG. Other operating
+. To verify vimacs' signature...
-    systems may lack the necessary out-of-tree GnuPG patches required, Debian
-    must be used.
-    c. Fetch vimacs' old public key from a traditional OpenPGP Keyserver, such
+    a. Obtain the public key from any traditional OpenPGP Keyserver, such as
-    as https://keyserver.ubuntu.com, and import the public key. The fingerprint
+    https://keyserver.ubuntu.com, and import the public key. The fingerprint
-    is 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403. You should see an expired
+    is 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403.
-    public key.
-    d. Fetch vimacs' new public key from https://keys.openpgp.org, using the same
+    b. Use the latest GnuPG in any operating system.
-    fingerprint, and import the public key. You should see that the public
-    key has been updated.
-    e. Please note that the key is still shown as "expired" because the new key
-    has no UID associated. But you should be able to see a new, valid (not
-    expired) subkey by...
-        $ gpg --list-options show-unusable-subkeys 	--list-keys 0x7079B481F04B5D8B65A0ECDEEA2DB82FE04A9403
-    f. Now, it's possible to verify the signature by following the standard
-    procedures. Ignore the "key expired" warning (because the latest UID is
-    not published, only the expired UIDs are available).
 Proof of Freshness
@@ Line 162: / Line 134: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Travel latest: 'Unenforceable' air bridges could lead to tourism subterfuge
+ Can you crack our new word game, Mini Cogs?
- Do I need to self-quarantine for 14 days after travel - and what are the rules?
+ Ukraine: The Latest - the worlds most trusted and award-winning podcast on the war
- How do coronavirus home antibody tests work, and how do I get one?
+ An artist made an anti-racist version of the UK flag. Youll never guess what happened next
- Mexican President rebuked for comments on women staying home
+ Strictly star arrested on suspicion of rape
- How many coronavirus cases are in your area? Use our tool to find out
+ Driver who hit grandfather dragged him further into the road then fled
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Chinas Military Provokes Its Neighbors, but the Message Is for the United States
+ Grim Evidence of Trumps Boat Strikes Washes Ashore on a Colombian Peninsula
- Huge Explosion Near Irans Chief Military Base Shakes Residents
+ Russia Threatens to Toughen Its Stance on Ending the War in Ukraine
- U.S. Postpones Balkan Peace Summit, in Blow to Trump Foreign Policy
+ With Critical Decisions Ahead, Netanyahu Faces Mounting Pressure
- Australian Politicians Home Raided in Chinese Influence Inquiry
+ For Zelensky, Just Keeping Trump Talking About Ukraine Peace Deal Counts as a Win
- Seven Colombian Soldiers Charged in Rape of Indigenous Girl
+ China Mobilizes Forces Near Taiwan for Live-Fire Drill
 $ date -R -u
-Fri, 26 Jun 2020 10:50:29 +0000
+Tue, 30 Dec 2025 03:34:58 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAl710+0ACgkQ+tPrBeiO
+iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmlTSG0ACgkQ+tPrBeiO
-jW3Xvw/+KdlTtVEaN0dn3C5n9V+DiBfV37KwrXRuIhJhRsuX2Aaq6SAsFaNWPBhh
+jW0LHg/9GQuuN7s3OrEeS4G3LrYkUKJWavzrDhBj3eHA2ugfUO6adwMYsQvwOZQD
-dE9aBWhuLNuMhKskYuSrhXcoA451BqcncELYRgU4LLkPX+Oedo6inbS3R1mHwc/y
+EpUyuKfeJymQCFs2YM5nfrzCJqeKZhb2lMU1le4+vseIjVf8oWoUXOb5bOGNepTr
-VtY4mVGtVLpO7cz23qXaUExqrX1syjl3vZQ+1zyjH/pLJn7j7lhyompRWbawHJvj
+y1mZklE9wykbDH/PDcC0v3tU+VEMvhUQCDV7uX8hAqTUBHY91q+PSUUbTYDZu8og
-Ha+SaFl1Vvfs0Y8g/ukhqGCm6/NmBxTxHHa6HdfuU5ZNfnLQAHBkGuW/pdqGHA
+Xxtc8yY8nGd0wY5MV7TS6hdZ73lWSBgHFLRRXa9vqsA65ERA4wPeykdPDb8Ekok9
-kI4sPHKz4KTsrvEKbhYLGU7gmhKwKqJXEFstfw4MKD5nJ008Gr+4mxo9C8Z5LJ4i
+Z8hwfdmMHORNU71nEcTxAnf3TPGTLE5hPFHrBoYiBagtPPBRoZbos+gnRbb6hpDH
-VNgMFkyN3bi7MNnifdURUYepSZTDIA8EOhznfMrCf5xHKcCenAjasmlOwVU4V5KH
+GtJ57RWFmvl9Jwd007XcBa/KNir5/mxEPivrPWFpYgzbH0cqRa36/BTAjau9elfo
-vPnA05ezRcd1yQoYmyBKV58ihoKVsnkbx5KpSLJ65WZZaRnjdMHSzm7EvS3sVRqe
+Ojer4tZfD4KDBlR5DnjAGYnrCTTFVpfS3gVeNBZKhpbYWcbnIB4hukS2GOnWe6z/
-RKhsXOHoVyVJer6op73L5LjqziaMDRuVQNZeqoeX/AOVOozu+S5t/MdBGkY0jeZg
+BqsVbXUbPR2zdFFzVXtQXuYtn5Si8BtRRip+Vu8Y5qJoKQnvnAnJQrPRiSy81vnr
-pcx66e7DhArUAmNQun8beEZT+rz6X01hnHYdKiySX3AzfNLM2DRniAD7ZLZllN6
+b6LzJq7t3RfC0J3E6PqjR4TgPr/4cYFLsF5hacrdiiA3sYQ1/sGeifEF5nJPgwfZ
-doPvhM1HjiF2p1qEhsBFB4EXTGjwB3bXU057gFFIzNe2KLc8AJCTrGIeedWNZnGu
+j+owZAan1h8axRJNM0utXyZ7U71YvvP2BgFTLjo/JD/AhtzdlSriRSXVJvRj4qEl
-+baMpYWKTnFM2DtUv+b5R9bM4ZM731dljOkx+SzuQ3MzGzz+EPQ=
+RXcZHAHxTnemws/qKUkWy6ciYg1rSqBE0Aimj6Wuza4XEOnnS+0=
-=q8k+
+=d7J5
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools