Differences

This shows you the differences between two versions of the page.

--- blug-canary-1 [2023/02/27 15:09]
BLUG Admin
+++ blug-canary-1 [2024/03/30 20:52] (current)
BLUG Admin
@@ Line 15: / Line 15: @@
 ====================================
-Issued for February 2023.
+Issued for March 2024.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 70: / Line 70: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of March 2023. Special note should be taken if no new canary is published
+weeks of April 2024. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 80: / Line 80: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-None.
+. We've found a workaround for importing keys on https://keys.openpgp.org
+without User-ID. The instructions for verifying persmule's signatures have
+been added.
 Canary Verification Procedures
@@ Line 95: / Line 97: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
+    e. Use the latest GnuPG in most operating system, the signatures made by
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
 . To verify vimacs' signature...
@@ Line 126: / Line 140: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Brexit: What is the Northern Ireland Protocol?
+ Thursday evening news briefing: Michael Goves no-fault evictions ban thrown into doubt
- Matt Hancock seen wearing Newcastle United shirt he auctioned off for NHS workers
+ Wednesday evening news briefing: Landlords could be banned from raising rent under radical SNP crackdown
- Nandos cleaner demanded 20k after he saw staff member drop burger on floor then serve it to customer
+ Tuesday evening news briefing: Biden vows to move heaven and earth to rebuild Baltimore bridge
- Father-and-son owned business destroyed after crash involving two police cars
+ Monday evening news briefing: UK unveils sanctions after MPs targeted by China
- Spectacular Northern Lights seen across UK - and you can see them again tonight
+ Thursday evening news briefing: Waspi scandal compensation branded a betrayal
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Live Updates: Russia Targets Ukraine With Overnight Drone Strikes
+ How African Immigrants Have Revived a Remote Corner of Quebec
- Russias New Offensive Sends Conscripts Into the Teeth of Ukraines Lines
+ A Stork, a Fisherman and Their Unlikely Bond Enchant Turkey
- Dying Children and Frozen Flocks in Afghanistans Bitter Winter of Crisis
+ Kings College Chapel, 438 Solar Panels and an Architectural Squabble in Cambridge
- Live Updates: Britain and E.U. Said to Agree on Northern Ireland Trade Deal
+ Troop-Starved Ukrainian Brigades Turn to Marketing to Attract Recruits
- What Is the Northern Ireland Protocol?
+ Dispute in Israel Over Drafting Ultra-Orthodox Jews Threatens Netanyahu
 $ date -R -u
-Mon, 27 Feb 2023 15:08:21 +0000
+Sat, 30 Mar 2024 20:51:12 +0000
 -----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmP8x4MACgkQ+tPrBeiO
+iQIzBAEBCgAdFiEEJVIRsjlaWj4OSKDx+tPrBeiOjW0FAmYIe28ACgkQ+tPrBeiO
-jW3mhg//Xsv6z8mczjY6o5WSTMKGCtVDcOuw8MLNatjdqJ9ttSUEN1jULkc1nYpt
+jW1yghAAkUYMlYuGg3ihG1uBw417y2oNvBGvCk4HYtIElrbd2DNL/JV/+/LkQW/Z
-xCUte5FhZHl905Zt1L/2hsID2L/9QpkiS7we0SGL6fPKjJo6kOeL0xT2OvSXyu
+rKMBgGtYHk/xGj9lZEmt1te6Mj+w+dS91ykoHAlNCAQ6RdNe9AQLvQd2Up9JlSTr
-ZkMiZ+xV7e6pRu0m9yPd3zBYbKgWF1n+MiMHhcLSupr530voyV3sFUdGbyRJkKmo
+obl/GMRBmJQNjaZf+mPWVbogmGq83lcoLK806ObfHPYBqRg+nxNQ85b19YUm2o5T
-JMSLyfxMyfCDuJp3849rp6cCpMtDctom2PuPhk4cQXX620xC+1hFGssM1LJ8+ewE
+JH7EsqEUBpCdrzyv7uYWLNOru2t6IvSXNcjB1Ay5CpwO3Bchu8EIhp433Wd5x/yb
-m/M3gvJloXuoRtAUTRTGPqvJyQ6pU6NvyHI1ztF8+2Hbo7aHaxeFO4s23BMMGRb
+xTPKkdC8yuusZCR/zLIUX7cJWYH7VH+chWf1RxAlkNQ5CCd51I741wY7/rYB5ZSU
-MiT8YleiVujopVyMY8XTjPiikrqECGfTVW9tdTZ53MaQDGviv7/vlHTL9EtiSLrR
+r4wib3+hnWYIktr4GC7QSeRhxocJcMHuKHWz6SgOQWqQDf8dYRiPGr72xtiZD2w9
-Xd9o1SLFmUwt1pbtbJhHrQzFnzPGYBUwYwWLHFtq2Vj4yR1Li12e9joJqM/yIRS
+W13osDpdkZkULD3lKxp/dwpklOlciComr1xGOk0wQoC7QpRlY+2wpUyIfAKxjaM
-ss2LKvWvoR6FNxnCU1n7GG11A2xXxw5e5XITg6WI0eZlg1PCjhzbCHLLnlh2W8+z
+oWsUYeIw8nWnxXljk8jNgSJ0XOnB4Po85xtWLk3MpAViy+s/RwwVEyam0CokgVw8
-m0S9hb3K2GWamwgfmukL6DawYR/3w72+qkUOkAHrbVrCPy88jPJOSmDh+XPfZRq
+dcUjL3ZZquPGUzhDCD/s/4Hb3HCGABKhd0rpWEsTL8DOaRahwBoGU7s9g07zQZal
-tkHi1Pfyh6cT2WUMmVCGhux4h8yaulkXPXT1g8ymLaaTdNVIa1MlyBotGAqnoJR3
+J7XHj8bGfbwmvBJoFO9jUFt+o2M7g+G00GsqPhQ7eIIKzFcuqMlR41ajWYUUHmD9
-mRZ+MDJbOlWbrrRRzHtllnbOk2Ynn+lV2YEIgALvYInlvx00ocw=
+Jq6fwrZZ+zgyKnjZ75E94uQqd7e54DF8wcpYoV/W1FEBSVBJgco=
-=dMlX
+=5M8V
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools