Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2022/02/20 04:03]
persmule
+++ blug-canary-2 [2024/02/28 12:04]
persmule
@@ Line 6: / Line 6: @@
 ====================================
-Issued for February 2022.
+Issued for February 2024.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 61: / Line 61: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of March 2022. Special note should be taken if no new canary is published
+weeks of March 2024. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 71: / Line 71: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-None.
+. We've found a workaround for importing keys on https://keys.openpgp.org
+without User-ID. The instructions for verifying persmule's signatures have
+been added.
 Canary Verification Procedures
@@ Line 86: / Line 88: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
+    e. Use the latest GnuPG in most operating system, the signatures made by
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
 . To verify vimacs' signature...
@@ Line 117: / Line 131: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Were taking action to keep Britain safe from Russias malicious activities
+ Post Office scandal: I was victim of smear campaign, Henry Staunton tells MPs
- As Ukraine tensions rise, UK organisations should protect themselves from cyber threats
+ Tuesday evening news briefing: Prince William pulls out of godfathers memorial service
- No10 'culture clash' over DIY abortion pills
+ Three men charged with Right-wing terrorism planned to attack Islamic centre
- Diabetic patient found dead on hospital roof after medics ejected him while he was in shock
+ Taylor Swifts father accused of punching Sydney photographer
- Pictured: Remarkable image shows the 'vast' interior of an ordinary cello
+ Transgender cat killer to be jailed in mens prison for murdering stranger
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- In Ukraine Crisis, the Looming Threat of a New Cold War
+ Middle East Crisis: Hamas Is Open to a Deal but Ready to Keep Fighting, Leader Says
- Highgate Cemetery: A City of the Dead That Inspires the Living
+ Back From War, Reserve Soldiers Set Their Sights on Israels Politics as Usual
- Putins Baseless Claims of Genocide Hint at More Than War
+ Navalnys Funeral to Be Held on Friday, Spokeswoman Says
- Ex-Modeling Agent and Epstein Associate Found Dead in a Paris Jail
+ E.U. Border Agency Is Too Weak to Prevent Migrant Boat Disasters, Watchdog Finds
- Lukashenko Once Kept Russia at a Distance. Now He Is a Docile Putin Satrap.
+ Bosnia Was Once Emptied by War and Now Faces Peacetime Emigration
 $ date -R -u
-Sun, 20 Feb 2022 03:59:00 +0000
+Wed, 28 Feb 2024 12:03:19 +0000
 -----BEGIN PGP SIGNATURE-----
-iQEzBAEBCgAdFiEE+SOCpROWPk6Sp6Iw8P4UaDjldeAFAmIRvK8ACgkQ8P4UaDjl
+iQIzBAEBCgAdFiEEDfvrUpjKhXrxhHZrG+3+G67tLh4FAmXfIQ4ACgkQG+3+G67t
-deBHowf/YE8CefAoD8KJYuF+NQUXJv1MaR/ivCqpiYehB0uK4iFvxcSot7R+18nP
+Lh4vvBAAuLqV9maB6lNGo7/1M1GmEr7KGy4XZ2fDDNKd6flwB3tStGI3UKGfsCYy
-uCpUOSz9cRxe7jWhavmQSquRwZvdFNL23STR9q0KhQ+4FsE41DJP3fOz25v04PnG
+S787YV5w1LQ/5SV4qlZT18j3RhyA5OH2zCQZMLN1oyN93+CgmzleQ+ZSxF2Y8dgE
-mP0BW4N/CKo5LUrb7U6AZ/27nxPFalrDi2i/9jirgpKz2dGVJTVe0ZaxAeIOd7/E
+ha5IdKB+fCn+MeYNriO/chzQ8ZgSTEB3+RWxaNOmRCv4bHb2oyLpgKBVZc8sOcU1
-YNeZvUIRvlLQEeQGY33EK3+9Ivic3gPh5KbciKPFFRUwjkwB2aFkIBMkTcWtL4mU
+hrj+Yq/VzUFq0L7nTA1UF7LFw1YdDqJAryYR9K1u8+VBOndzcbChu2DGAFV1Sf3O
-yKYurvDNpyHqzCgl/mWIPEc0No9iiwJRg/RBl5wFIh7/wtdXvSEVib0Gofu5dNEw
+sONviemea1vOGHxr/jlHghdXyIOYwWbFrXb8vKRMl/f5YUBOTPk/HgpKXyyThamx
-PcIuIxdn0iq+aizXgJ8ZKWqQmbRDOg==
+GGZm6WFKdMIk/o1sd369OBkdEISwCx/v2UXluebuKnXxJJArYT3Z1anlWdps30wA
-=F6FB
+avHe/1sOrj1QpVZw6Lvi0tXSOaQ+q+EkI9U9oX9a070z5DsuQj2+3ImG1y27wQEZ
+ZK5Yo48fzgLLEcxg387krqWwUfgy/iSuu2shNUPEl6Q8UNKMEbVws2zpT6MOuJX6
+VYJhcTpPckrVmWjJS7ZIGc7anLrxbhcxcec0WGKUE9fZ6qV3G/AJIkvy/RB2v38W
+fu/gFOlpXiW0Ne8Pr9vG2/fgLPNI7p417PdGTkIYOAJMypNQuBHjbDYBHjTVxZR8
+om2MJ8+DQ9Q9Gx5u7EPsRAm3OI2eziR5tzMiMxlQl9pJMs5CgA0=
+=kqLL
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools