Yep, we’re doing it again. Wednesday night May 2 at ApacheCon Europe, we’ll be having a PGP KeySigning. All Apache committers and all conference attendees are invited to participate.
Why do we have a PGP Keysigning session at ApacheCon? At the Apache Software Foundation, we sign our releases with PGP. Every release archive is accompanied by a signature file (name ends in .asc) and a hash file (name ends in .md5) that you can use to verify the integrity of the release.
Verifying the signature on the release file is the strongest integrity check you can make and the Apache HTTP Server download page has instructions on how to perform the check. Another page discusses the reasons why you would want to verify.
Verifying the MD5 hash of a release file tells you that the file did not get corrupted in transit, or while it was on the mirror network. However, md5 offers weak protection against attacks on the distribution source, since an attacker who uploads a corrupted release to the distribution source can simply also upload a corrupted hash.
By verifying the PGP signature of the release, you learn two things:
- The file has not been tampered with since it was signed
- The file was signed by the person in posession of the private key that generated the signature
This is a big step up from verifying the hash: no secret information was involved in generating the hash, but the signature was created using a private key that is hopefully well protected and kept from public view.
Now, anyone can generate a PGP key with a particular e-mail address as user ID, whether an @apache.org address or not. To verify the integrity of a signing key, you would look at the signature(s) on that key. There are several different schemes for signatures on keys: X509 certificates are typically signed by a Certificate Authority with a confidence-inducing name like Verisign, Entrust or GeoTrust. The PGP keys that Apache uses are signed by individual PGP users when they meet and verify that the other person is indeed the owner of that private key. The key that signed a software release from the Apache Software Foundation is typically signed by a number of Apache community members.
And this is why it is important to have KeySigning sessions, and that you attend them: a rogue attacker could conceivably set up an entire network of fake keys that would sign each other, but if you signed the key that signed that release, or someone whose key you signed did so, your confidence in the PGP signature on a particular release archive should increase dramatically. By attending a KeySigning, you become part of the Web of Trust.
See you all Wednesday, next week in Amsterdam.
Hi,
your apache email bounced for asf at this domain (if you get what I mean), so I can’t send you my public key. What should I do??
Niclas — what SMTP error message did you see in your bounce? I don’t own that mailserver but without detailed knowledge of how it bounced and what it thought the reason was, there is little I can do for you. If you’re at ApacheCon, I brought a USB keychain drive and will be happy to take a key from you over sneakernet.