ddpbsd
commented
7 years ago The stable version is 2.8.3, so a stable link is the link to that version. It shouldn't change.
Closed hackers-terabit closed 5 years ago
ddpbsd
commented
7 years ago The stable version is 2.8.3, so a stable link is the link to that version. It shouldn't change.
hackers-terabit
commented
7 years ago I guess I failed to communicate my issue properly.
How would my automated script know the version is 2.8.3? if you're unwilling to provide a solution on your end, that's fine, I can scrape the github page or something. or maybe are you saying 2.8.3 is the final version?
hackers-terabit
commented
7 years ago Hi,
You can ignore my second request if it requires too much effort or you think it's unreasonable.
But can you please update the site or push someone on your github repo a valid working PGP key?
https://ossec.github.io/downloads.html#pgp-key
The public key there is outdated:
~ $ wget -q https://ossec.github.io/files/OSSEC-PGP-KEY.asc
~ $ gpg --import OSSEC-PGP-KEY.asc
gpg: key A3901351: public key "Daniel B. Cid <dcid@ossec.net>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
~ $ gpg --list-keys 'Daniel B. Cid'
pub 4096R/A3901351 2011-07-11 [expired: 2016-07-09]
uid [ expired] Daniel B. Cid <dcid@ossec.net>
Notice how it says 'expired: 2016-07-09' , can you update with a more current public key and sign all tarballs with it?
Additionally where do I get the .sig files?
I don't see them listed here https://ossec.github.io/downloads.html
https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz.asc and https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz.sig are both 404 , so I'm out of ideas here. the instructions specifically suggest to use a 'file.sig' , please point me into the right direction.
I hope you don't think I'm being unreasonable here, asking for proper signing/verification and instructions is not unreasonable for any project or application, especially for a security product.
If I am going to run an application as root,protecting my deployments, I would really like to make sure I am downloading an authentic signed tarball first.
I've also seen where you say
"Note that the key expiration date was changed lately. If you get an warning saying “gpg: Note: This key has expired!”, make sure to update the key and run the “import” command again (as specified above)."
running import again did not help:
$ gpg --import OSSEC-PGP-KEY.asc && gpg --import OSSEC-PGP-KEY.asc && gpg --list-keys 'Daniel B. Cid'
gpg: key A3901351: "Daniel B. Cid <dcid@ossec.net>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: key A3901351: "Daniel B. Cid <dcid@ossec.net>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
pub 4096R/A3901351 2011-07-11 [expired: 2016-07-09]
uid [ expired] Daniel B. Cid <dcid@ossec.net>
stable tarball: I think splitting downloads into 2 files that are exactly the same is kind of strange. If we update "stable" to a new version, and your automated scripts grab it, but there is an incompatibility between stable (2.x) and stable (2.x + 1) you could have issues with new agents or whatnot. However, perhaps there is a need for a "stable" git tag or something. I'll have to think about this for a bit. :-)
I think we were hoping to have 2.9 out with a new key and everything before it became a huge deal (not many people check the gpg signatures). I don't think we have access to the old private key, so there would be some oddities with a new key. Unfortunately the real world has gotten in the way of the fun stuff.
hackers-terabit
commented
7 years ago ddpbsd , thank you for the response,just saw this.
I hope 2.9 comes out soon then :)
Hi,
I wanted to automate ossec deployment, I need two things:
P.S.: Talked to atomicturtle on IRC about this and he suggested I open up a feature request like this.
Thank you in advance and great work!