~samiam/MaraDNS

MaraDNS/maradns.gpg.key.HOWTO -rw-r--r-- 2.1 KiB View raw
817bef6aSam Trenholme README.md: We only make tarballs for each release 2 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
   I will detail how MaraDNS users can trust the GPG key MaraDNS has, and 
   use this GPG key to verify a given release of MaraDNS.

   There has been, ever since the 1.0 release of MaraDNS in 2002, two
   different GPG keys used:

     * A 1024-bit DSA key used from 2001 until 2012
     * A 2048-bit RSA key in use since 2012

   The 2012 key has been signed with the 2001 key. The 2001 key can be
   trusted because it has been in use for a long time. Not only is it
   still included in every single MaraDNS release, it has been included in
   releases since 2001. Its pretty easy to verify that, say, a 2002
   release of MaraDNS was using the same 1024-bit key new releases are
   included with:

https://web.archive.org/web/20020803040619/http://www.maradns.org/download.html

   http://sourceforge.net/projects/maradns/files/MaraDNS/1.0.00/

   The DSA key has a key ID of 1E61FCA6 and the following fingerprint:

   D167 252A 18BC D011 7CB4 6CA8 0BE8 D6AE 1E61 FCA6

   Note that this fingerprint can be verified by looking at multiple
   mailing list postings over the years, e.g.:

   http://marc.info/?l=maradns-list&m=101195132232108&w=2

   http://osdir.com/ml/network.dns.maradns.general/2003-09/msg00008.html

   Both MaraDNS GPG keys are also available on the MIT GPG key server:

   http://pgp.mit.edu/pks/lookup?search=MaraDNS&op=index

   The 2048-bit RSA key has a key ID of 6D150805 and the following
   fingerprint:

   A96E 30DD A360 FC63 42B2 D9AB 5FF4 96D1 6D15 0805

   This key can be verified because it is signed by the older DSA key:

   gpg --list-sigs 6D150805

   ==Using GnuPG==

   One issue is that GPG is not the easiest program to use. To add the
   MaraDNS keys to ones GPG keyring, enter the MaraDNS top-level
   directory and then:

   cat maradns.gpg.key.old | gpg --import

   cat maradns.gpg.key | gpg --import

   To verify a signed file, do something like:

   gpg --verify maradns-2.0.11.tar.bz2.asc maradns-2.0.11.tar.bz2

   Verifying a key fingerprint:

   gpg --fingerprint {ID}

   Where {ID} is the ID of the key we wish to view the fingerprint of.