samboy/MaraDNS
1
3
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
MaraDNS/maradns.gpg.key.HOWTO
Sam Trenholme bf65017174 maradns.GPG.key: Add link to 2015 version of article 
The 2015 version shows the keys haven’t changed since 2015, over seven years
ago as I type this.
2022-10-02 21:37:56 -07:00

66 lines
2.1 KiB
Text
Raw Permalink Blame History

I will detail how MaraDNS users can trust the GPG key MaraDNS has, and
use this GPG key to verify a given release of MaraDNS.
There has been, ever since the 1.0 release of MaraDNS in 2002, two
different GPG keys used:
* A 1024-bit DSA key used from 2001 until 2012
* A 2048-bit RSA key in use since 2012
The 2012 key has been signed with the 2001 key. The 2001 key can be
trusted because it has been in use for a long time. Not only is it
still included in every single MaraDNS release, it has been included in
releases since 2001. Its pretty easy to verify that, say, a 2002
release of MaraDNS was using the same 1024-bit key new releases are
included with:
https://web.archive.org/web/20020803040619/http://www.maradns.org/download.html
http://sourceforge.net/projects/maradns/files/MaraDNS/1.0.00/
The DSA key has a key ID of 1E61FCA6 and the following fingerprint:
D167 252A 18BC D011 7CB4 6CA8 0BE8 D6AE 1E61 FCA6
Note that this fingerprint can be verified by looking at multiple
mailing list postings over the years, e.g.:
https://marc.info/?l=maradns-list&m=101195132232108&w=2
Both MaraDNS GPG keys are also available on the MIT GPG key server:
http://pgp.mit.edu/pks/lookup?search=MaraDNS&op=index
The 2048-bit RSA key has a key ID of 6D150805 and the following
fingerprint:
A96E 30DD A360 FC63 42B2 D9AB 5FF4 96D1 6D15 0805
This key can be verified because it is signed by the older DSA key:
gpg --list-sigs 6D150805
Both keys can also be verified because they were the same keys in
2015:
https://web.archive.org/web/20150922220611/https://samiam.org/blog/2015-05-27.html
==Using GnuPG==
One issue is that GPG is not the easiest program to use. To add the
MaraDNS keys to ones GPG keyring, enter the MaraDNS top-level
directory and then:
cat maradns.gpg.key.old | gpg --import
cat maradns.gpg.key | gpg --import
To verify a signed file, do something like:
gpg --verify maradns-2.0.11.tar.bz2.asc maradns-2.0.11.tar.bz2
Verifying a key fingerprint:
gpg --fingerprint {ID}
Where {ID} is the ID of the key we wish to view the fingerprint of.
Reference in a new issue View git blame Copy permalink