I have changed my signature key, the new ID is 7194FF94!
A backdoor in Irssi reminded me of the need for signed files. Obviously somebody succeeded in replacing the source tarballs on the main site with a tarball that contained a backdoor. For more information have a look at the advisory page.
This could have been easily prevented if the tarballs would have been signed. Well, it's to late now, but we can learn from and and thus all downloads from Penguin-Breeder.Org will be signed from now on.
I'll use two different signatures for files, the one is called MD5 which is short for message digest number five and the other is called a digital signature.
A regular download link on Penguin-Breeder.Org looks like this:
You might have already noticed the two new fields "MD5" and "SIG". The first is a link to a file with extension ".md5". This file contains the so-called md5 sum of the download file. Use the utility md5sum to verify the checksum:
$ md5sum -c foo.bar.md5 foo.bar: OK
If you get another output, the file foo.bar was corrupted during download or the file was maliciously altered.
The second signature is a so-called digital signature. I signed all files with my private GnuPG key. You can verify this signature with my public key, which is available from most public keyservers (the key-id is 7194FF94), or copy it from here:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (OpenBSD) mQGiBEZ+YyMRBACsWW8F1VU3pwIYs72Ggq5Mi3rlUt2KzdixMMA8utwLbEb950S9 PUyaOTLky0jz54fNox9AQAvVHpucS3Uuyboi4+eUD0/E4g1Ws0OfrlLFJ6ZACM2C wvFRtx3yDGG5zi16ax4RkpMIVH4QYW6tksHFpQAeYd5Wq05iI8qyJXnkiwCg4dMB QjCjcypHpQ7B5B3lCAVIKWcD/RpQiO7EIHYoJS7f4pjPvQOFtJzNNGQ/KmVr87cF 5kvlLr+XPjOphzRgTTqLSjvwou+etE1OLn4hFaEQTYs8zwLVa3JD86oTqC9ngo2j 3Kz4RgCJGEVN1o6pMT8u97Iov8WPtYa4ghGz9rwkQ5RQ0uysyFcaeMfh96XE4r38 vdSHA/4vSu91o8tZvYKGaZHncOKdI9jxlOvePQGiTo5asZsbN7LEm2E2OJVpo6fa qgTXwTWedsVNcu0vVXNRp8XQ/DubwNKqr/bWZE76b+XlDZfNl2lpYlPf6pJbQpSc xWyGUlYlj49GT28QvZXhr1S7vEfyoC0yaWCEJO7tRS7o8aVasbQ1Sm9jaGVuIEVp c2luZ2VyIChjMGZmZWUpIDxqb2NoZW5AcGVuZ3Vpbi1icmVlZGVyLm9yZz6IZgQT EQIAJgUCRn5jIwIbAwUJA8JnAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJELV4 4ARxlP+U8ScAn28gVkJz6gximQG/Ct1RGN533CVdAKChsZhzdRXlLm5xycleEi1v 1iWP3w== =ANEv -----END PGP PUBLIC KEY BLOCK-----
To verify the signature you need to install GnuPG and issue the following commands:
$ gpg --import pubkey.asc gpg: key 7194FF94: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --verify foo.bar.asc gpg: Signature made Sun 24 Jun 2007 02:34:33 PM CEST using DSA key ID 7194FF94 gpg: Good signature from "Jochen Eisinger (c0ffee) <jochen@penguin-breeder.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1156 D13B C46C 26C5 5C54 9AB9 B578 E004 7194 FF94
The date when the signatures was made may differ in your output.
The MD5 files are just checksums, so anybody could easily regenerate them for altered files. These files are mainly usefull for me to check the files on the server against my local copies quickly.
The digital signatures should be pretty safe. If somebody manages to spoof them he or she has surely better to do than faking my signatures... Just make sure the key id is 7194FF94. To help you remeber this id, it's in the bottom line on every page here.
Because this is a signature key. DSA stands for digital signature algorithm. I can sign stuff with this key, you can verify my signature that's it. No encryption possible.