:: Re: [devuan-dev] Fwd: SHA256SUMS.tx…
Página Principal
Esta mensagem é parte da seguinte discussão:
Ma lista completa das discussões ordenadas por data
MAndy Doucette em <-
 
Delete this message
Reply to this message
Autor: fsmithred
Data:  
Para: devuan-dev
Assunto: Re: [devuan-dev] Fwd: SHA256SUMS.txt.asc signed by a key not in https://devuan.org/os/team
On 2/19/25 06:09, Andy Doucette wrote:
> ---------- Forwarded message ---------
> From: Andy Doucette <andy.doucette@???>
> Date: Wed, Feb 19, 2025 at 7:07 PM
> Subject: SHA256SUMS.txt.asc signed by a key not in
> https://devuan.org/os/team
> To: <submit@???>
> Cc: <rrq@???>
>
<snip>
> I searched for "6199" on the Team Page <https://www.devuan.org/os/team> and
> it does not exist there. Ralph is there, but with a different key.
>
> Is there a supply chain attack going on, or did someone forget to update
> the Team Page?
>
> I checked, and at least 5 mirrors have the same issue.
>
> I'm a bit scared to use the image now, since it's not technically trusted.
>
> Andy
>

I'm no expert on this stuff, but I'm pretty sure it's a matter of updating
the web page. I get the same result as you do with your command, but when
I check Ralph's new key for signatures, I see that Boian is one of the
signers, and when I check his key for sigs, I see that I signed it. So the
web of trust is intact. 

$ gpg --list-sigs 680B5A1F661ECDBC
pub   rsa4096 2023-06-25 [SC]
       619933B4CD8A97408A3C47E2680B5A1F661ECDBC
uid           [  undef ] Ralph Ronnquist <rrq@???>
sig 3        680B5A1F661ECDBC 2023-06-25  Ralph Ronnquist <rrq@???>
sig          7729547634107541 2023-06-25  Ralph Ronnquist (rrq 2022-09-21) 
<ralph.ronnquist@???>
sig          1365720913D2F22D 2023-06-25  Boian Bonev <bbonev@???>
sig 2        D28A45BF3287D649 2023-07-01  Mark Hindley <leepen@???>
sig 3        C06C125633FF7B66 2023-10-05  Thomas Dely <deltomix@???>
uid           [ unknown] [jpeg image of size 3650]
sig 3        680B5A1F661ECDBC 2023-06-25  Ralph Ronnquist <rrq@???>
sig          1365720913D2F22D 2023-06-25  Boian Bonev <bbonev@???>
sig 2        D28A45BF3287D649 2023-07-01  Mark Hindley <leepen@???>
sig 3        C06C125633FF7B66 2023-10-05  Thomas Dely <deltomix@???>
sub   rsa4096 2023-06-25 [E]
sig          680B5A1F661ECDBC 2023-06-25  Ralph Ronnquist <rrq@???>



$ gpg --list-sigs 1365720913D2F22D
pub   rsa4096 2020-06-27 [SC] [expired: 2024-07-17]
       BA60BC20F37E59444D6D25001365720913D2F22D
uid           [ expired] Boian Bonev <bbonev@???>
sig 3        1365720913D2F22D 2020-06-27  Boian Bonev <bbonev@???>
sig 3        1365720913D2F22D 2021-01-30  Boian Bonev <bbonev@???>
sig 3        1365720913D2F22D 2021-02-01  Boian Bonev <bbonev@???>
sig 3        1365720913D2F22D 2022-07-18  Boian Bonev <bbonev@???>
sig          A73823D3094C5620 2022-09-25  fsmithred (aka fsr) 
<fsmithred@???>


<snip>

HTH,
fsmithred

Esta mensagem foi colocada nas seguintes mailing lists:
devuan-dev
Informação da Mailing List | Mensagens Perto		<-[devuan-dev] Fwd: SHA256SUMS.txt.asc signed by a key not in https://devuan.org/os/team  

Donate to Dyne.org

dyne.org open discussions
administrado por dyne.org hackers		Lurker (versão 2.3)