On 10-Dec-2008, at 20:36, SM wrote:
At 13:51 10-12-2008, LuKreme wrote:
I read the man page, where there is no mention of how to obtain this
number. In fact, I read many posts, and many webpages and have still
not found that information. I've seen the IDs in others posts, sure,
but where do they originate?
sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of
the updates. The Sought rules webpage mentions how to download the
GPG key. If you want to understand how GPG works or how to use GPG
keys, you should read the GPG documentation.
Yes, downloading the key is not the issue.
Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html
)is merely a "here's the random-looking digits you pass to --
gpgkey"
and not a "here's what the --gpgkey is, means, and how it's
generated".
The gpgkey parameter for sa-update specifies which GPG key ID should
be trusted to sign the updates. You can use the gpg command to find
out what the key ID is. That's not a random number;
I said 'random looking'
it's a hexadecimal number which identifies the key.
And the source of that number is, evidently, a complete mystery.
That's my point. I've seen lots of instructions like this:
# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld
where the '0E28B3DC' has just magically appeared as if created from
the ether.
Do you see that there is a crucial step missing there? Where did that
gpgkey value come from? If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it? Can you generate it. Is is simply a hash of the gpg
keyfile, or something else?
It's a bit of "hey, now just fill in this number we hopefully have
given you. Don't worry about what it means, or how it works, or where
it came from. Just copy&paste and you'll be fine."
Strangely enough, that does not fill me with the highest degree of
confidence. Not much more so that --nogpg.
Because sa-update is designed to provide updates in a secure way.
If you want the simplest way, you can ignore these steps and face
the consequences when something goes wrong.
Oddly enough, I am able to encrypt emails, sign emails, verify signed
mails, login to ssh ports on remote servers and do a whole host of
secure things without ever having encountered anything like this
gpgkey. I've added the key to the keychain as a trusted key, that is
enough to make it secure. How is this 8 digit hex code making
anything any more secure?
--
I know that you believe you understand what you think I said but I
am not sure you realize that what you heard is not what I
meant.
