Project

General

Profile

Installation i9100, Replicant 4.2, Signature Warning

Added by Theseus de WWW about 5 years ago

I downloaded the files and checked the signatures for the zip and the img. Both of the commands resulted in:
gpg: Good signature from "Replicant project...

But they also were followed by
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Does this mean that the check failed? Or is this warning regarding "Establishing a chain of trust"? Also, to obtain the key "physically," do I have to meet a developer in person?

I'm new to this, but excited about learning more. Thank you.


Replies (11)

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Olivier Mondoloni about 5 years ago

Your message means that the file integrity is good .
The chain of trust is optional as I can said .

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Paul Kocialkowski about 5 years ago

Does this mean that the check failed? Or is this warning regarding "Establishing a chain of trust"? Also, to obtain the key "physically," do I have to meet a developer in person?

The check did work, but you are indeed lacking proper verification of the key, that can only be achieved by meeting someone who ends up trusting our key (it could be me, it could be someone who has a chain of trust linking back to our key). This is a crucial part for making sure that the key actually originates from Replicant!

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Theseus de WWW about 5 years ago

I see. I like that, encouraging face-to-face communication. It's interesting how the less present people have become face-to-face, the more susceptible they have become to mass surveillance.

Would you happen to be on the US west coast?

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Paul Kocialkowski about 5 years ago

I see. I like that, encouraging face-to-face communication. It's interesting how the less present people have become face-to-face, the more susceptible they have become to mass surveillance.

Well that's true and I agree, but this is not quite related here. The reason why we need to physically meet is that this is the only way to check the keys for sure. Since they are used to secure numeric communications, we cannot use those to safely verify the keys.

Would you happen to be on the US west coast?

I'm in Europe. I'll be at FOSDEM in Brussels at the end of the month.

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Theseus de WWW about 5 years ago

Got it. Thanks.

When I make my way to Europe, sometime next year, I'll check in. In the meantime, I will be playing with an unverified phone.

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Bruno Dantas about 5 years ago

Assuming this page http://redmine.replicant.us/projects/replicant/wiki/ReplicantReleaseKey has not been altered by a hacker, the fingerprint shown there is the unique fingerprint of the Replicant project's public key. Meeting face to face would be ideal but seems like overkill if the public key's fingerprint is known from a reliable source such as this website, which is monitored by the owners of the key--who would (hopefully) notice if someone altered the shown fingerprint. If the fingerprint of the key that theseus obtained matches the shown fingerprint exactly, he could sign/verify the key himself. Here's how to check the fingerprint of the key that was obtained, and how to verify/sign it if its fingerprint is a match:

$ gpg --list-keys
$ gpg --edit-key
fpr
sign
save

ref: https://www.gnupg.org/gph/en/manual.html#AEN84

I did the above steps. Afterwards, checking the signature of the downloaded files completes successfully and without spitting out any warnings.

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Paul Kocialkowski about 5 years ago

Assuming this page http://redmine.replicant.us/projects/replicant/wiki/ReplicantReleaseKey has not been altered by a hacker

You probably meant cracked: see https://www.gnu.org/philosophy/words-to-avoid.html#Hacker

Meeting face to face would be ideal but seems like overkill if the signature's fingerprint is known from a reliable source such as this website, which is monitored by the owners of the public key who would (hopefully) notice if someone changed the shown fingerprint to that of some other key.

Looking it up on the website is not reliable. We are not expecting any attacker to modify the content on the server, but to change it on the fly for particular targets, so that peer-checking is not a solution.

If the fingerprint of the key that theseus obtained matches the shown fingerprint exactly, he could sign/verify the key himself. Here's how to check the fingerprint of the key that was obtained, and how to verify/sign it if its fingerprint is a match:

Please don't do that, it is a terrible idea. Only a face to face meeting can provide a sufficient amount of security that would make signing the key meaningful. If you do it without it, you create a phony chain of trust, which is a serious issue.

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Bruno Dantas about 5 years ago

Well, I stand corrected. I guess one could check the fingerprints and leave it at that. Some people, like me, will probably never meet a developer face to face, so I guess if we do things the proper way then no keys will ever be signed. Fair enough.

Yes, I meant cracker. Sorry. I guess most visitors to this website are hackers by the proper definition :)

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Paul Kocialkowski about 5 years ago

Some people, like me, will probably never meet a developer face to face, so I guess if we do things the proper way then no keys will ever be signed. Fair enough.

Hence the idea of chain/web of trust. You might want to read: https://www.gnupg.org/gph/en/manual/x547.html

And FYI, The Replicant key is trusted by my personal key and my personal key is trusted by RMS, who travels around the world. If there is a chance for you to meet him and verify his key, that's a way to establish the chain a trust.

RE: Installation i9100, Replicant 4.2, Signature Warning - Added by Theseus de WWW about 5 years ago

I'm learning a lot here.

I installed Replicant and am inspired.

Down the road, when I do verify with Paul, RMS or another creditable developer, I'd be happy to meet with others.

    (1-11/11)