After the release of the report yesterday concerning the trojaned openssh, I decided to verify the PGP signature on the distribution I had installed. I spent perhaps 1/2 hour or more before I managed to track down the public key of the signer so I could add it to my key-ring and verify that I'd used a non-trojaned distribution. It wasn't obvious or easy. It would be a great service to your user community if you made the signing key easy to find on your web site. A top-level link would be nice, but even a link from the download section would be good. Thank you for your consideration, and keep up the good work on openssh!
The key is in the file DJM-GPG-KEY.asc in the distribution directory (has been for years). It has also on the keyservers for a long time. The key could do with some signatures on it.
The key is in file DJM-GPG-KEY.asc but this doesn't address the poster's question. A link is really needed to this file on the home page or the download page. I too spent more than an hour trying to find the public key. The fact that the file has been there for years doesn't make it easier to find. As for the keyservers, I don't know where to find them, if I can talk to them through our organization-wide firewall, and how to ask them for a key. I suspect this is the case of most OpenSHH users, and is a reason why OpenSHH is probably most often installed without checking the signature. Again: It would be a great service to your user community if you made the signing key easy to find on your web site. A top-level link would be nice, but even a link from the download section would be good.
Key is on the FTP server and is widely distributed on the keyservers (the canonical place for keys)
Appearantly there's a lot of people spending a large amount of time (or give up on it) finding this key. (The keyservers do you no good if you don't know that you need Damien Miller's key -- a search for openssh returns Karl Friedl) There is no valid reason to make it so hard. In fact, quite the contrary I would say. Internet security would benefit if you would make it easy (most OSS web sites provide links and instructions on signature verification) How hard can it be to add a small section to the openssh web site? Marcel
Err, that's what the keyid is for: $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Can't check signature: public key not found $ gpg --recv-key 86FF9C48 gpg: requesting key 86FF9C48 from HKP keyserver wwwkeys.au.pgp.net gpg: found 0 ownertrust records gpg: migrated 0 version 2 ownertrusts gpg: key 86FF9C48: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) <djm@mindrot.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48
Good point, but not withstanding that things can be made a lot easier for the masses withouth a lot of effort
After I posted my original bug report, I received email from people all over the world, saying "please send me the signing key." Putting a reference to the key on your web site increases the odds that people will actually check the signature. It's easy to do. It costs nothing. I'm a big fan of openssh and open source in general. But lack of responsiveness on a trivial issue like this makes it more difficult to "sell" the idea of using open source products to management. That is unfortunate, and ultimately harmful to the open source movement.
Use a keyserver. As I mentioned, this is the canonical place to find keys. Please don't reopen this bug, my mind is made up.
Mass change of RESOLVED bugs to CLOSED