Differences

This shows you the differences between two versions of the page.

--- blug-canary-2 [2021/11/24 12:14]
BLUG Admin
+++ blug-canary-2 [2024/03/31 15:06] (current)
persmule
@@ Line 6: / Line 6: @@
 ====================================
-Issued for November 2021.
+Issued for March 2024.
 Don't just trust the contents of this file blindly! Verify the
@@ Line 61: / Line 61: @@
 . We plan to publish the next of these canary statements in the first three
-weeks of December 2021. Special note should be taken if no new canary is published
+weeks of April 2024. Special note should be taken if no new canary is published
 by that time or if the list of statements changes without plausible explanation.
@@ Line 71: / Line 71: @@
 ~~~~~~~~~~~~~~~~~~~~~~~~
-None.
+. We've found a workaround for importing keys on https://keys.openpgp.org
+without User-ID. The instructions for verifying persmule's signatures have
+been added.
 Canary Verification Procedures
@@ Line 86: / Line 88: @@
 . To verify persmule's signature...
-    a. Unfortunately, it's not possible yet. Recent attacks on OpenPGP key-
+    a. Due to the previous attacks on OpenPGP keyservers, persmule has published
-    servers have raised great security concerns within the community, as a
+    the OpenPGP public key to https://keys.openpgp.org without a User-ID. Using
-    countermeasure, persmule's new public key has been published to the
+    the standard method, it's impossible to import a OpenPGP public key without
-    https://keys.openpgp.org/ keyserver, but without a User-ID. Currently,
+    User-ID. But since April 2013, we have developed a workaround, described
-    it's impossible to import a OpenPGP public key without User-ID for a
+    below.
-rd-party to verify the canary document signed by persmule.
-    b. We are looking for a solution. But for now, you should check the
+    b. Obtain the dummy public key from any traditional OpenPGP Keyserver,
-    canary documents signed by biergaizi and vimacs to decide the validity
+    such as https://keyserver.ubuntu.com, and import the public key. The
-    of the canary documents. This effectively reduced the number of signers
+    fingerprint is 0xEDFFE248ECFACDE3C805906804A40D21DBB89B60. Note that, to
-    to two people. It reduces the level of confidence, but currently there is
+    import this key, one must copy and paste the key in ASCII from the Keyserver
-    no alternative option yet.
+    website to a file or console and use the command "gpg --import". Due to a
+    technical problem, Using "gpg --recv-key" or "gpg --search-keys" does not
+    work.
-    c. Once the technical problem of using a public key without User-ID is
+    c. This is a special dummy public key with its User-IDs and subkeys stripped
-    resolved, you can check the previous signatures retroactively, and this
+    that we specifically created, leaving only a "stub" User-ID (with an invalid
-    would effectively restore the level of confidence. You can archive the
+    E-mail address, "glahamm <yiam5Od@gliwrad.invalid>"). Its sole purpose is
-    documents to your own machine as soon as it's published to ensure no data
+    allowing the subsequent import of additional subkeys.
-    tampering has occurred.
+    d. Next, with the stub key already imported, obtain the public key from
+    https://keys.openpgp.org using the same fingerprint, and import this key.
+    Because the dummy key with its stub User-ID is already in presence, it's
+    now possible to import the https://keys.openpgp.org public key directly.
+    e. Use the latest GnuPG in most operating system, the signatures made by
+    persmule's key can now be verified as usual. Debian is known to work, most
+    other systems should work just fine, but not Fedora. The subkeys contains
+    signatures made with Brainpool curves, which are disabled on Fedora due to
+    potential patent-licensing problems, causing a "Unknown elliptic curve"
+    error.
 . To verify vimacs' signature...
@@ Line 117: / Line 131: @@
 $ rsstail -1 -n5 -N -u https://www.telegraph.co.uk/news/rss.xml
- Sir Paul McCartney on his Marmite, hummus and honey mustard sandwich: Trust me, they come together
+ Tuesday evening news briefing: Biden vows to move heaven and earth to rebuild Baltimore bridge
- Wednesday evening UK news briefing: Boris Johnson's 'regret' at Owen Paterson scandal
+ Monday evening news briefing: UK unveils sanctions after MPs targeted by China
- Nine Insulate Britain protesters jailed for blocking roads in legal first
+ Thursday evening news briefing: Waspi scandal compensation branded a betrayal
- Children who have had Covid should wait three months to get vaccine
+ Wednesday evening news briefing: Leo Varadkar resigns as Irish prime minister
- The man with the golden cufflinks ... but can you crack code on Ian Flemings jewellery?
+ Tuesday evening news briefing: HMRC to close phone lines for six months every year
 $ rsstail -1 -n5 -N -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
- Risk for Leader of Belarus: Migrants He Lured May Want to Stay
+ Middle East Crisis: Hezbollah and Israel Trade Fire Across Lebanon Border
- Intractable African Crises Flare as Bidens Top Diplomat Visits Kenya
+ Kremlin Treads Carefully After Moscow Attack Over Fears of Ethnic Strife
- Vaccinated vs. Unvaccinated: Europes Covid Culture War
+ Thailand Lawmakers Pass Bill to Legalize Same-Sex Marriage
- Mass Detentions of Civilians Fan Climate of Fear in Ethiopia
+ Happy-Go-Lucky Australia Is Feeling Neither Happy, Nor Lucky
- Womens Tennis Challenges Chinas Narrative Over Missing Player
+ Inside the Garrick, the Men-Only London Club Rocked by Criticism
 $ date -R -u
-Thu, 18 Nov 2021 02:20:58 +0000
+Wed, 27 Mar 2024 13:10:15 +0000
 -----BEGIN PGP SIGNATURE-----
-iQEzBAEBCgAdFiEE+SOCpROWPk6Sp6Iw8P4UaDjldeAFAmGVuK4ACgkQ8P4UaDjl
+iQIzBAEBCgAdFiEEDfvrUpjKhXrxhHZrG+3+G67tLh4FAmYEGr4ACgkQG+3+G67t
-deA3YAf/eNsVc1fXreqklrwB4YXx2/MvuUJ8gl/Ar+WzNIrjTZ2l/iyVX9a2FIGS
+Lh6LzQ/9FJvRBpndCMu4hNzwO24k62YqAexHgaHi/y0LBbqGXfhtFEIF8QAZhK2q
-AyByfI/Ym5DbxKReDwDtMK4MAfBFORtR/9C7OwO3gdco8rkAfRVbpGPoc8utBSbv
+COW5UPMsmq3ZPGgZ4BlvOvV7OAl2V6TaW5N38NkV7Ao9jq2o35E/hPHivzKqPbyk
-UEHfMyyuJzTnOpnIkeG8W8gOmdefueg/Lb+4g6Fz8cr1t51CobYJpyjHf4p7BH6b
+APN6OJsCTaXB89XNoU+doT3P6aBNR85Dab+7asm1sJiJaKv+MB9wcfd2a9fkvvbx
-HuKGrzI5HjEufY4opZlRpnkBCVh8SbOB91ayermbl2tTBFs7cyutNeV2iINJx8pp
+Cdwd/eOQPkm6fp3Udh1Qkxw4YWD7GJLfMYa+Sq4BAw+d74uJhf7EYyhyrQgmxX9R
-hrHRkb+ZFC/hNnVtr12K3Tky4rVFdRhYzev5+1EqYKGlBiiJCQjZKEvdan6TDr8
+JjW0vyriI8d0huqT3i46boU8qWmieIASTYllX5zjBLqHOt+rhVwxVvopylq3Ug5d
-Kr3+8hLPJ8NCESM/YLW4LKP1oqg9uw==
+AgXxMrXnPiM0WnjW7iyNxrXikg90Y9OMgtbmJ/9LZmjPGhCroDnCq3ODoF57VFEj
-=bMON
+eauTIY+AZB5evlcnHdA2KS6Vcbb6tnTyzdELUTmt8cGvHdm62s30lPBqrw6ck4FB
+pdrmWjIFbQnxOliq+ZqbWRdYBbKrDkoPi+9Ogd9978bluNaRlrjqJ23IN0X8vFog
+j707xVZXGrpliu7/vJHwifRYPJm5N36Gx15Q+GjomgWR7KZjWtdHsvohzll+6z6m
++Ty18wdh1fDwIz5/gIZoKlCUzZvcoV/mt65R4ZdZfevRTGAUc9kHmsGFgMLQtgHZ
+QoHH+ccE8yqtxN82qFku1Mhw2NlEzCKqSPb9aS1kDfk2Uxpt634=
+=RoJ+
 -----END PGP SIGNATURE-----
 </code>

BLUG Wiki

User Tools

Site Tools

Differences

Page Tools