Securely downloading Ubuntu

Neal McBurnett neal at bcn.boulder.co.us
Tue Jan 29 05:45:52 UTC 2008 

[I've been sending, like the original poster, to both lists, and
different responses from different people have gone to each list.  But
we should probably choose just one of these lists to use for this
conversation....  I'd choose the -devel-discuss list since my postings
to the -devel list have to be approved by the moderator....]

On Mon, Jan 28, 2008 at 10:51:49PM -0500, Fabian Rodriguez wrote:
> Neal McBurnett wrote:
> | That ftpmaster key is already on installed systems, right?  I would
> | think we could preinstall system keyrings and give instructions that
> | would be based on that.  Do we not ship the <cdimage at ubuntu.com> key?
> GnuPG's local keyrings are created when it's first invoked, so they 
> should actually be empty. I personally overwrite the local keyrings or 
> use an external USB key on my laptop, depending on the kind of install 
> I've had in the past. Adding that key to a default install would 
> probably require setting up an additional keyring with it and changing 
> the default gpg.conf accordingly.

Just to clarify, I was not proposing that Ubuntu put any keys in a
user's gpg keyring - that would be a BAD THING.

By "system keyring" I meant that Ubuntu could use one of the existing
keyrings used by apt et al (perhaps /etc/apt/trusted.gpg?)

E.g. on my gutsy machine both keys seem to be there:

$ gpg --no-default-keyring --list-keys --keyring /etc/apt/trusted.gpg

/etc/apt/trusted.gpg
--------------------
pub   1024D/437D05B5 2004-09-12
uid                  Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
sub   2048g/79164387 2004-09-12

pub   1024D/FBB75451 2004-12-30
uid                  Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>

> Another problem is the download page should actually link to:
> https://help.ubuntu.com/community/VerifyIsoHowto
> 
> I checked that page and added a few links about the web of trust and the 
> warning you mention.

Good - thanks.

For folks using Ubuntu, this is much easier.  It looks like because
there is an appropriate /etc/apt/trustdb.gpg file there, this seems to
work nicely for verifying MD5SUMS, without any need to download keys
or set up trust beforehand:

$ gpg  --no-default-keyring --keyring /etc/apt/trusted.gpg --verify MD5SUMS.gpg MD5SUMS
gpg: Signature made Thu 18 Oct 2007 01:47:10 AM MDT using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>"

> Although the cdimage at ubuntu.com (0xFBB75451) key is not in the "strong 
> set" and does not show up in the Keyanalyze reports, Colin Watson's and 
> Martin Pool's (which both sign it) do.

I wonder if they should be used to sign each other and some other key
in the strong set so they would be in the strong set - that would make
establishing trust more convenient.

Neal McBurnett                 http://mcburnett.org/neal/

More information about the Ubuntu-devel-discuss mailing list