Hi, As some of you are aware, the *.mtree files for Owl trees distributed via the FTP mirrors were always PGP-signed for Owl releases, but only sometimes signed for Owl-current and -stable branch snapshots. The reason for this was that those snapshots were generated on a server, which was unsuitable to upload our main signing key to (placing this key at extra risk). The obvious solution, which we've finally implemented today, was to introduce a second keypair and use this one to sign the snapshot *.mtree files. The second public key is now available on the signatures page: http://www.openwall.com/signatures/ It is called "Openwall GNU/*/Linux online signing key", and it is signed with our main signing key. The primary use for signatures made with the "online" key is for you to be able to verify that your Owl downloads (which are typically made from mirrors and via "insecure" protocols) haven't been tampered with as compared to the files stored on our mirrors feed. (For those familiar with Linux kernel downloads from kernel.org, our "online" key is similar to "Linux Kernel Archives Verification Key" in the way we're using it.) The Owl-current snapshot currently on the mirrors feed (and already on some mirrors) is signed with this key. Since the intent is to always sign Owl snapshots from now on (in fact, some of this is scripted), I've also updated the Owl upgrade instructions with info on verifying the authenticity of downloads as an "unconditional" step (previously, this was suggested as an option): http://openwall.info/wiki/Owl/upgrade As usual, any feedback is welcome. AlexanderReceived on Sun Jan 30 2011 - 10:50:01 PST
This archive was generated by hypermail 2.2.0 : Sun Jan 30 2011 - 10:50:49 PST