On 23/04/2020 22:30, Simon Deziel wrote: > On 2020-04-23 3:55 p.m., David Sommerseth wrote: >> On 23/04/2020 19:55, Simon Deziel wrote: >>> On 2020-04-21 1:41 p.m., David Sommerseth wrote: >>>> On 21/04/2020 18:32, Simon Deziel wrote: >>>>> Hello, >>>>> >>>>> I cannot validate the Windows exe files [1] and [2] using the key >>>>> advertised in [3]. >>>>> >>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win7.exe.asc >>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win7.exe' >>>>> gpg: Signature made Fri 17 Apr 2020 07:25:11 AM EDT >>>>> gpg: using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 >>>>> gpg: Can't check signature: No public key >>>>> >>>>> $ gpg --verify openvpn-install-2.4.9-I601-Win10.exe.asc >>>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win10.exe' >>>>> gpg: Signature made Fri 17 Apr 2020 07:25:00 AM EDT >>>>> gpg: using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 >>>>> gpg: Can't check signature: No public key >>>>> >>>>> >>>>> $ gpg --list-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>>> pub rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07] >>>>> Key fingerprint = F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 >>>>> uid [ unknown] OpenVPN - Security Mailing List >>>>> <secur...@openvpn.net> >>>>> >>>>> >>>>> Did I download the right files? >>>>> >>>>> $ sha256sum openvpn-install-2.4.9-I601-Win* >>>>> 4f95a674c3ffafd85062df995a182cfb57ca56d96084472a48a65c546c815f0c >>>>> openvpn-install-2.4.9-I601-Win10.exe >>>>> 340a6b917c5358a18e4ed283669e8d59073720184dba2d1f2965512c9cac18ad >>>>> openvpn-install-2.4.9-I601-Win10.exe.asc >>>>> 495754e6f3e40a056b947d496729f3ba78aaf0458d80ff08991c27bddf386139 >>>>> openvpn-install-2.4.9-I601-Win7.exe >>>>> b15e4b34756446589cc609d5d08fe5daba98c34463135b7abfab1538722c4c4e >>>>> openvpn-install-2.4.9-I601-Win7.exe.asc >>>> >>>> >>>> Try refreshing the PGP keys. We pushed out new keys in early March, but >>>> seems >>>> the web page was not updated. >>>> >>>> $ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >>>> >>>> This should do the proper key update and the verification should work just >>>> fine. We always publish the security public key to key servers whenever >>>> they >>>> are updated. >>> >>> I tried all the above and even did so in a fresh container. The subkey >>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 simply not there: >>> >> >> This is really weird. From my own test: >> >> [user@host ~]$ gpg --list-keys | wc -l >> 0 >> [user@host ~]$ gpg --recv-key F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >> >> >> gpg: requesting key 2F2B01E7 from hkp server keys.gnupg.net > > Indeed, pulling from that key server picked the 'new' subkey. > >> gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List >> <secur...@openvpn.net>" imported >> gpg: no ultimately trusted keys found >> gpg: Total number processed: 1 >> gpg: imported: 1 (RSA: 1) >> [user@host ~]$ gpg --edit F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 >> gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. >> >> >> pub 4096R/2F2B01E7 created: 2017-02-09 expires: 2027-02-07 usage: SC >> trust: unknown validity: unknown >> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - >> Security Mailing List <secur...@openvpn.net> >> sub 4096R/F6D9F8D7 created: 2017-02-09 revoked: 2019-02-04 usage: E >> The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - >> Security Mailing List <secur...@openvpn.net> >> sub 4096R/8CC2B034 created: 2017-02-09 revoked: 2019-02-04 usage: S >> sub 4096R/AF131CAE created: 2018-03-07 expired: 2019-03-07 usage: S >> sub 4096R/907F94CF created: 2018-03-07 expired: 2019-03-07 usage: E >> sub 4096R/5ACFEAC6 created: 2019-02-04 expired: 2020-03-09 usage: S >> sub 4096R/3FEA78DB created: 2019-02-04 expired: 2020-03-09 usage: E >> sub 4096R/005D6BB4 created: 2020-02-21 expires: 2021-03-05 usage: S >> <<<<< The key which is used >> sub 4096R/5EABA192 created: 2020-02-21 expires: 2021-03-05 usage: E >> [ unknown] (1). OpenVPN - Security Mailing List <secur...@openvpn.net> >> >> >> Which key server do you try to fetch from? Might be we need to do >> some additional pushes to some servers. > > Stock default Ubuntu pulls from hkps://keys.openpgp.org which doesn't > have the new subkey.
Alright, I just re-pushed to that server again explicitly. And now it seems it
worked better.
$ gpg --keyserver hkps://keys.openpgp.org --recv-key
F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
gpg: requesting key 2F2B01E7 from hkps server keys.openpgp.org
gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List
<secur...@openvpn.net>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --edit security
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 4096R/2F2B01E7 created: 2017-02-09 expires: 2027-02-07 usage: SC
trust: unknown validity: unknown
The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN -
Security Mailing List <secur...@openvpn.net>
sub 4096R/F6D9F8D7 created: 2017-02-09 revoked: 2019-02-04 usage: E
The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN -
Security Mailing List <secur...@openvpn.net>
sub 4096R/8CC2B034 created: 2017-02-09 revoked: 2019-02-04 usage: S
sub 4096R/005D6BB4 created: 2020-02-21 expires: 2021-03-05 usage: S
sub 4096R/5ACFEAC6 created: 2019-02-04 expired: 2020-03-09 usage: S <<<<<
Here it is
sub 4096R/3FEA78DB created: 2019-02-04 expired: 2020-03-09 usage: E
sub 4096R/5EABA192 created: 2020-02-21 expires: 2021-03-05 usage: E
sub 4096R/907F94CF created: 2018-03-07 expired: 2019-03-07 usage: E
sub 4096R/AF131CAE created: 2018-03-07 expired: 2019-03-07 usage: S
[ unknown] (1). OpenVPN - Security Mailing List <secur...@openvpn.net>
--
kind regards,
David Sommerseth
OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
