Re: Announce: OpenSSH 7.6 released

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2017-10-03 at 14:50 -0600, Damien Miller wrote:
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available as RELEASE_KEY.asc from
> the mirror sites.

Of the two up-to-date mirrors with 7.6 I can find:
  rsync://openbsd.cs.toronto.edu/openbsd/OpenSSH/portable/
  https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
neither has a "RELEASE_KEY.asc" file.

There's:  DJM-GPG-KEY.asc

For the Fastly case, I've confirmed that this is not a stale cached
index issue and that putting in RELEASE_KEY.asc as a filename yields a
404.

The file "DJM-GPG-KEY.asc" contains the PGP key 0xCE8ECB0386FF9C48 which
was revoked in 2013.  The signature I do see on the release was made
with PGP key 0xD3E5F56B6D920D30, which was created the same day.

I have a trust-path to the key 0xD3E5F56B6D920D30 so I'm good, but
something seems to have gone askew here.

-Phil
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux