How do I trust the key then? On Oct 12, 2014, at 23:05, Christian Hesse <mail@xxxxxxxx> wrote: > Ren Siyuan <netheril96@xxxxxxxxx> on Sun, 2014/10/12 22:52: >> I am trying to download a version of OpenSSH newer than the one >> preinstalled with my OS. But sadly I find that I can only download it >> through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by >> anyone in the network path. It is odd that *the* software about security >> and encryption across untrusted network is distributed to everyone >> insecurely and not encrypted. Is there any future plan to distribute >> OpenSSH over secured channel, such as https? > > OpenSSH development team provides GPG signature for their source tarballs. So > download the tarball with whatever (unsecure) protocol you prefer, download > the gpg signature file (ending .asc) and verify with gpg: > > % gpg --verify openssh-6.7p1.tar.gz.asc > gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30 > gpg: Good signature from "Damien Miller <djm@xxxxxxxxxxx>" [unknown] > Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30 > > HTTPS does provide secure data transfer, but does not guaranty data is what > developers intended to provide. If you download a compromised source tarball > via HTTPS it is still compromised. > -- > Schoene Gruesse > Chris > O< ascii ribbon campaign > stop html mail - www.asciiribbon.org
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
