[uds-announce] Keysigning party UDS-Q - Keyring and printouts available
Neal McBurnett
neal at bcn.boulder.co.us
Fri May 11 00:34:54 UTC 2012
Right on, Geoffrey! I was thinking the same thing.
That sha256 of your new file checks out for me.
To check my full fingerprint, I generated it from my own keyring using my keyid (33148156) with a leading "0x":
gpg --list-key --with-fingerprint 0x33148156
and it does match.
Final point: many of us will be trying to fit in dinner before the demo. So I urge us to start right on time, and not get into a big discussion of the fine points. That can be deferred to a detailed Q&A / discussion at the end of the meeting, and/or subsequent emails.
Cheers!
Neal McBurnett http://neal.mcburnett.org/
On Thu, May 10, 2012 at 05:09:31PM -0700, Geoffrey Thomas wrote:
> On Thu, 10 May 2012, Iain Lane wrote:
>
> >>Alternatively, should we be verifying our fingerprint in the keyring
> >>right now, and can we have a reading of the SHA-1 sum of the keyring
> >>in addition to the text file?
> >
> >It's not so reliable to do this, since there are enough places in a GPG
> >keyring (and a bz2 file) that arbitrary data can be stuffed in order to
> >generate a collision if someone so desired.
> >
> >If everyone verifies their full fingerprint in the text file is correct
> >and also makes sure to verify this when signing then we only need to
> >read the checksums of the file. It also cuts down on the time that the
> >KSP takes.
>
> Good point. Since Asheesh is, as feared, generating a collision on my key
> as we speak, I'd like to ask everyone who will be at the keysigning to
> verify their fingerprints against this file and note its sha256sum
> (eec6e6470807c4a4d4065d1597f4e184982f6702e63ce387e5c920bf71db0188):
>
> https://ldpreload.com/p/ksp-quantal.txt
>
> This was generated with bunzip2 | gpg | gpg --with-fingerprint on the
> keyring Marc posted. I will read out the sha256sum of this file -- you can
> either write down the sha256sum right now on your keysigning sheet, or
> verify it against this email on your phone or somesuch. (This avoids
> needing to print out another verification sheet, since Marc's work just
> fine for identity verification.) If we all agree on the sha256sum and that
> it has correct fingerprints, you can then download the file from my web
> server at your leisure and have everyone's verified e fingerprint.
>
> Thanks (and especially thanks to Marc for organizing this),
> --
> Geoffrey Thomas
> http://ldpreload.com
> geofft at ldpreload.com
>
> --
> uds-announce mailing list
> uds-announce at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/uds-announce
More information about the uds-announce
mailing list