unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#25572: Signatures on Emacs windows .zip files
@ 2017-01-29 11:48 Richard Kettlewell
  2017-01-29 20:14 ` Eli Zaretskii
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Richard Kettlewell @ 2017-01-29 11:48 UTC (permalink / raw)
  To: 25572

Hi,

According to https://www.gnu.org/software/emacs/download.html:

    Since the 24.5 release, tarballs are signed with the GPG key from
    Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
    F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.

However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
signed with some other key:

$ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
60C3B396
gpg: Good signature from "Phillip Lord <phillip.lord@russet.org.uk>"
gpg:                 aka "Phillip Lord <p.lord@russet.org.uk>"
gpg:                 aka "Phillip Lord <p.lord@hgmp.mrc.ac.uk>"
gpg:                 aka "Phillip Lord <phillip.lord@newcastle.ac.uk>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 8352 2404 7598 ECBC 61A1  DA34 5FE9 658D 60C3 B396

ttfn/rjk





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 11:48 bug#25572: Signatures on Emacs windows .zip files Richard Kettlewell
@ 2017-01-29 20:14 ` Eli Zaretskii
  2017-01-29 20:36   ` Richard Kettlewell
  2017-01-29 21:14   ` Phillip Lord
  2017-01-29 20:56 ` Phillip Lord
  2017-11-19 14:11 ` Richard Kettlewell
  2 siblings, 2 replies; 12+ messages in thread
From: Eli Zaretskii @ 2017-01-29 20:14 UTC (permalink / raw)
  To: Richard Kettlewell; +Cc: 25572

> From: Richard Kettlewell <rjk@terraraq.uk>
> Date: Sun, 29 Jan 2017 11:48:55 +0000
> 
> According to https://www.gnu.org/software/emacs/download.html:
> 
>     Since the 24.5 release, tarballs are signed with the GPG key from
>     Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
>     F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
> 
> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
> signed with some other key:
> 
> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
> 60C3B396
> gpg: Good signature from "Phillip Lord <phillip.lord@russet.org.uk>"
> gpg:                 aka "Phillip Lord <p.lord@russet.org.uk>"
> gpg:                 aka "Phillip Lord <p.lord@hgmp.mrc.ac.uk>"
> gpg:                 aka "Phillip Lord <phillip.lord@newcastle.ac.uk>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 8352 2404 7598 ECBC 61A1  DA34 5FE9 658D 60C3 B396

That's because the zip files with Windows binaries were produced by
Phillip.

Why is that a bug?





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 20:14 ` Eli Zaretskii
@ 2017-01-29 20:36   ` Richard Kettlewell
  2017-01-29 21:14   ` Phillip Lord
  1 sibling, 0 replies; 12+ messages in thread
From: Richard Kettlewell @ 2017-01-29 20:36 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: 25572

On 2017-01-29 20:14, Eli Zaretskii wrote:
>> According to https://www.gnu.org/software/emacs/download.html:
>>
>>     Since the 24.5 release, tarballs are signed with the GPG key from
>>     Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
>>     F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
>>
>> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
>> signed with some other key:
>>
>> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
>> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
>> 60C3B396
>> gpg: Good signature from "Phillip Lord <phillip.lord@russet.org.uk>"
>> gpg:                 aka "Phillip Lord <p.lord@russet.org.uk>"
>> gpg:                 aka "Phillip Lord <p.lord@hgmp.mrc.ac.uk>"
>> gpg:                 aka "Phillip Lord <phillip.lord@newcastle.ac.uk>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner.
>> Primary key fingerprint: 8352 2404 7598 ECBC 61A1  DA34 5FE9 658D 60C3 B396
> 
> That's because the zip files with Windows binaries were produced by
> Phillip.

Thankyou for replying. The point is: how do I verify that I have a
legitimate download of the GNU Emacs Windows binaries?

I have an informal trust path to
28D3BED851FDF3AB57FEF93C233587A47C207910 because https://www.gnu.org
mentions it. No such statement exists about
835224047598ECBC61A1DA345FE9658D60C3B396.

> Why is that a bug?

The web page told me to send comments to bug-gnu-emacs@gnu.org, and so
here we are.

Is there some more appropriate reporting channel?

ttfn/rjk






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 11:48 bug#25572: Signatures on Emacs windows .zip files Richard Kettlewell
  2017-01-29 20:14 ` Eli Zaretskii
@ 2017-01-29 20:56 ` Phillip Lord
  2017-01-29 21:37   ` Richard Kettlewell
  2017-02-06 13:04   ` Nicolas Petton
  2017-11-19 14:11 ` Richard Kettlewell
  2 siblings, 2 replies; 12+ messages in thread
From: Phillip Lord @ 2017-01-29 20:56 UTC (permalink / raw)
  To: Richard Kettlewell; +Cc: 25572

On Sun, January 29, 2017 11:48 am, Richard Kettlewell wrote:
> According to https://www.gnu.org/software/emacs/download.html:
>
>
> Since the 24.5 release, tarballs are signed with the GPG key from
> Nicolas Petton 7C207910, fingerprint 28D3 BED8 51FD F3AB 57FE
> F93C 2335 87A4 7C20 7910, which can be found in the GNU keyring.
>
>
> However the windows .zip files on http://ftp.gnu.org/gnu/emacs are
> signed with some other key:
>
> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
> 60C3B396
> gpg: Good signature from "Phillip Lord <phillip.lord@russet.org.uk>"
> gpg:                 aka "Phillip Lord <p.lord@russet.org.uk>"
> gpg:                 aka "Phillip Lord <p.lord@hgmp.mrc.ac.uk>"
> gpg:                 aka "Phillip Lord <phillip.lord@newcastle.ac.uk>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner. Primary key fingerprint: 8352 2404 7598 ECBC 61A1  DA34 5FE9 658D
> 60C3 B396


Thanks for pointing this out. The key is mine. I didn't know about that
statement on the website, and you are correct that it is rather
asymmetric.

I need to update the key anyway, and will get the website updated after that.

Phil






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 20:14 ` Eli Zaretskii
  2017-01-29 20:36   ` Richard Kettlewell
@ 2017-01-29 21:14   ` Phillip Lord
  2017-01-30 22:32     ` Glenn Morris
  1 sibling, 1 reply; 12+ messages in thread
From: Phillip Lord @ 2017-01-29 21:14 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Richard Kettlewell, 25572

On Sun, January 29, 2017 8:14 pm, Eli Zaretskii wrote:
>> From: Richard Kettlewell <rjk@terraraq.uk>
>> Date: Sun, 29 Jan 2017 11:48:55 +0000
>>
>>
>> $ gpg2 --verify emacs-25.1-2-x86_64-w64-mingw32.zip.sig
>> gpg: Signature made 11/29/16 19:54:09 GMT Standard Time using DSA key ID
>>  60C3B396
>> gpg: Good signature from "Phillip Lord <phillip.lord@russet.org.uk>"
>> gpg:                 aka "Phillip Lord <p.lord@russet.org.uk>"
>> gpg:                 aka "Phillip Lord <p.lord@hgmp.mrc.ac.uk>"
>> gpg:                 aka "Phillip Lord <phillip.lord@newcastle.ac.uk>"
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the
>> owner. Primary key fingerprint: 8352 2404 7598 ECBC 61A1  DA34 5FE9 658D
>> 60C3 B396
>>
>
> That's because the zip files with Windows binaries were produced by
> Phillip.
>
>
> Why is that a bug?
>

I think it's a flaw with the website. It needs both our keys on.






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 20:56 ` Phillip Lord
@ 2017-01-29 21:37   ` Richard Kettlewell
  2017-02-06 13:04   ` Nicolas Petton
  1 sibling, 0 replies; 12+ messages in thread
From: Richard Kettlewell @ 2017-01-29 21:37 UTC (permalink / raw)
  To: Phillip Lord; +Cc: 25572

On 2017-01-29 20:56, Phillip Lord wrote:
> Thanks for pointing this out. The key is mine. I didn't know about that
> statement on the website, and you are correct that it is rather
> asymmetric.
> 
> I need to update the key anyway, and will get the website updated after that.

Thanks!

ttfn/rjk







^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 21:14   ` Phillip Lord
@ 2017-01-30 22:32     ` Glenn Morris
  2017-02-06 10:37       ` Phillip Lord
  2017-02-06 13:09       ` Nicolas Petton
  0 siblings, 2 replies; 12+ messages in thread
From: Glenn Morris @ 2017-01-30 22:32 UTC (permalink / raw)
  To: Phillip Lord; +Cc: Richard Kettlewell, 25572

"Phillip Lord" wrote:

> I think it's a flaw with the website. It needs both our keys on.

It is it actually useful to list gpg keys on
https://www.gnu.org/software/emacs/download.html, or is it just another
place that's likely to get out-of-date?

Historically, the "GNU keyring" has frequently been outdated and hard to
get updated (it should be automatic but clearly isn't), so I don't know
if linking to that is a good idea. (Personally I fail to see much value
in a keyring stored on the same ftp server as the files. If a Bad Person
can mess with the latter, why not the former?)





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-30 22:32     ` Glenn Morris
@ 2017-02-06 10:37       ` Phillip Lord
  2017-02-06 13:09       ` Nicolas Petton
  1 sibling, 0 replies; 12+ messages in thread
From: Phillip Lord @ 2017-02-06 10:37 UTC (permalink / raw)
  To: Glenn Morris; +Cc: Richard Kettlewell, 25572

Glenn Morris <rgm@gnu.org> writes:

> "Phillip Lord" wrote:
>
>> I think it's a flaw with the website. It needs both our keys on.
>
> It is it actually useful to list gpg keys on
> https://www.gnu.org/software/emacs/download.html, or is it just another
> place that's likely to get out-of-date?
>
> Historically, the "GNU keyring" has frequently been outdated and hard to
> get updated (it should be automatic but clearly isn't), so I don't know
> if linking to that is a good idea. (Personally I fail to see much value
> in a keyring stored on the same ftp server as the files. If a Bad Person
> can mess with the latter, why not the former?)

I don't mind either way, but probably is Nicolas' is on there for the
source tarball, we should have one for the windows downloads. You are
correct that keeping this uptodate adds load.

Phil





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 20:56 ` Phillip Lord
  2017-01-29 21:37   ` Richard Kettlewell
@ 2017-02-06 13:04   ` Nicolas Petton
  1 sibling, 0 replies; 12+ messages in thread
From: Nicolas Petton @ 2017-02-06 13:04 UTC (permalink / raw)
  To: Phillip Lord, Richard Kettlewell; +Cc: 25572

[-- Attachment #1: Type: text/plain, Size: 252 bytes --]

Phillip Lord <phillip.lord@russet.org.uk> writes:

> I need to update the key anyway, and will get the website updated
> after that.

You can send me the fingerprint of the key once you have it updated if
you want me to update that page.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-30 22:32     ` Glenn Morris
  2017-02-06 10:37       ` Phillip Lord
@ 2017-02-06 13:09       ` Nicolas Petton
  2017-02-07  4:37         ` Glenn Morris
  1 sibling, 1 reply; 12+ messages in thread
From: Nicolas Petton @ 2017-02-06 13:09 UTC (permalink / raw)
  To: Glenn Morris, Phillip Lord; +Cc: Richard Kettlewell, 25572

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

Glenn Morris <rgm@gnu.org> writes:

> "Phillip Lord" wrote:
>
>> I think it's a flaw with the website. It needs both our keys on.
>
> It is it actually useful to list gpg keys on
> https://www.gnu.org/software/emacs/download.html, or is it just another
> place that's likely to get out-of-date?

I'm trying to keep the website up-to-date :)

Several users asked for the fingerprint to be added somewhere on the
Emacs website, and I thought it was a good idea, as the GNU keyring is
not up-to-date and it looks like most users don't use it.

> Historically, the "GNU keyring" has frequently been outdated and hard to
> get updated (it should be automatic but clearly isn't)

Indeed, it was very hard for me to get my key on this keyring, it took
ages.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 472 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-02-06 13:09       ` Nicolas Petton
@ 2017-02-07  4:37         ` Glenn Morris
  0 siblings, 0 replies; 12+ messages in thread
From: Glenn Morris @ 2017-02-07  4:37 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Richard Kettlewell, 25572, Phillip Lord

Nicolas Petton wrote:

>> Historically, the "GNU keyring" has frequently been outdated and hard to
>> get updated (it should be automatic but clearly isn't)
>
> Indeed, it was very hard for me to get my key on this keyring, it took
> ages.

That's why I don't like seeing the GNU keyring advertised on the Emacs page. :)
It clearly doesn't work properly, so let's not draw attention to it.

I'd suggest you put the Emacs keys in a plain text file on the Emacs web
site, and have the download page link to it. That way it is easier to
update.





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#25572: Signatures on Emacs windows .zip files
  2017-01-29 11:48 bug#25572: Signatures on Emacs windows .zip files Richard Kettlewell
  2017-01-29 20:14 ` Eli Zaretskii
  2017-01-29 20:56 ` Phillip Lord
@ 2017-11-19 14:11 ` Richard Kettlewell
  2 siblings, 0 replies; 12+ messages in thread
From: Richard Kettlewell @ 2017-11-19 14:11 UTC (permalink / raw)
  To: 25572

The situation does not seem to have improved in the last ~10 months. The
Windows Emacs zipfiles are still signed with a key not mentioned
anywhere on https://www.gnu.org/software/emacs/download.html.

ttfn/rjk





^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2017-11-19 14:11 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-29 11:48 bug#25572: Signatures on Emacs windows .zip files Richard Kettlewell
2017-01-29 20:14 ` Eli Zaretskii
2017-01-29 20:36   ` Richard Kettlewell
2017-01-29 21:14   ` Phillip Lord
2017-01-30 22:32     ` Glenn Morris
2017-02-06 10:37       ` Phillip Lord
2017-02-06 13:09       ` Nicolas Petton
2017-02-07  4:37         ` Glenn Morris
2017-01-29 20:56 ` Phillip Lord
2017-01-29 21:37   ` Richard Kettlewell
2017-02-06 13:04   ` Nicolas Petton
2017-11-19 14:11 ` Richard Kettlewell

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).