Closed mig5 closed 2 years ago
mig5
commented
2 years ago Furthermore, https://github.com/zimmerle.gpg shows 'Note: The keys with the following IDs couldn't be exported and need to be reuploaded E6DFB08CE8B11277'.
Would be great to actually be able to validate the signatures you're publishing, thanks :)
zimmerle
commented
2 years ago Hi @mig5 -- @martinhsv is the one who is publishing the releases.
@martinhsv can you have a look at this?
martinhsv
commented
2 years ago The key in question actually belongs to @zimmerle .
If that key can no longer be made available, then the only thing I can think of that I could do is to create a new .asc file for ModSecuritiny-nginx v1.0.2 using my own key.
mig5
commented
2 years ago Yes please - or at least, for the next release. I don't mind, but obviously there's just no point publishing the .asc if the public key is not available to validate it.
Someone must have the key in order to upload those .asc files to the release. So any reason not to just export that public key? But yeah if it's not strictly speaking 'your' key, sounds like something weird already happening. Maybe time for a new key :)
martinhsv
commented
2 years ago I'm pretty sure that key was valid and available back in June when the release occurred. But events in the six months since then have obviously changed the situation.
New releases since Oct. 1 (including the recent releases of ModSecurity 3.0.6 and 2.9.5) use, and will, use a different key that is available.
mig5
commented
2 years ago New releases since Oct. 1 (including the recent releases of ModSecurity 3.0.6 and 2.9.5) use, and will, use a different key that is available.
Yeah, the main ModSecurity packages I was able to validate. But not this nginx one. But you're publishing the .asc files here, so that person must have the private key.
Is the person who made the .asc files not able to simply run gpg --export -a [key id] and paste the resulting public key here? That's really all I'm asking.. because the public keys I can find online don't let me import it, but maybe one that you export and provide here, might?
zimmerle
commented
2 years ago @mig5
you may want to try this -
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys E6DFB08CE8B11277@zimmerle I can import that key, but it apparently is not the key that signed the package.
user@disp949:~$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys E6DFB08CE8B11277
gpg: key E6DFB08CE8B11277: public key "Felipe Zimmerle da Nobrega Costa <felipe@zimmerle.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
user@disp949:~$ wget -O ModSecurity-nginx-1.0.2.tar.gz.asc https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.2/modsecurity-nginx-v1.0.2.tar.gz.asc
--2022-01-06 08:20:59-- https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.2/modsecurity-nginx-v1.0.2.tar.gz.asc
[...]
user@disp949:~$ wget -O ModSecurity-nginx-1.0.2.tar.gz https://github.com/SpiderLabs/ModSecurity-nginx/archive/v1.0.2.tar.gz
--2022-01-06 08:20:28-- https://github.com/SpiderLabs/ModSecurity-nginx/archive/v1.0.2.tar.gz
[...]
user@disp949:~$ gpg --verify ModSecurity-nginx-1.0.2.tar.gz.asc ModSecurity-nginx-1.0.2.tar.gz
gpg: Signature made Mon 07 Jun 2021 09:59:15 PM AEST
gpg: using DSA key 190EFACCA1E9FA466A8ECD9CE6DFB08CE8B11277
gpg: BAD signature from "Felipe Zimmerle da Nobrega Costa <felipe@zimmerle.org>" [unknown]The signature is bad - therefore, the released package cannot have been signed with that key.
Should we consider the tarball compromised somehow? That's what the signatures are there for..
mig5
commented
2 years ago Not sure what I did wrong but it works now, I redownloaded the tarball.. thanks for providing the other way to get the key.
mig5
commented
2 years ago Figured out this stupid mistake. The script I was using (based on the old Makefile made by the Phusion people at https://github.com/phusion/nginx-modsecurity-ubuntu) was downloading a tag tarball rather than the actual 'release'
https://github.com/SpiderLabs/ModSecurity-nginx/archive/v$(MODSECURITY_REF).tar.gz
should've been
The tagged tarball, and the release file, have different sha256sum and indeed the tagged tarball is not signed by the key.
Sorry for the distraction.
zimmerle
commented
2 years ago no worries. thank you for helping sort that out.
Hi @zimmerle,
I am trying to validate the tarball modsecurity-nginx-v1.0.2.tar.gz from https://github.com/SpiderLabs/ModSecurity-nginx/releases with the .asc signature provided.
The key apparently used to generate the signature is 190EFACCA1E9FA466A8ECD9CE6DFB08CE8B11277
I tried looking for your GPG key, and ran into some problems:
1) The key at https://keys.openpgp.org/search?q=190EFACCA1E9FA466A8ECD9CE6DFB08CE8B11277 contains no user ID, so I can't import it:
2) Most of the other keyservers don't turn up your key or aren't online
3) I finally turned up a key at https://pgp.mit.edu/pks/lookup?op=get&search=0xE6DFB08CE8B11277 - but this key apparently is not the same as the one you used:
Can you please provide the correct public key here or perhaps in the README? That would be very much appreciated.
Thanks!