I have downloaded openvpn-install-2.3.16-I601-x86_64.exe from this web page:
https://openvpn.net/index.php/download/ ... loads.html
It is listed in the section of "OpenVPN 2.3.16 (old stable) -- released on 2017.05.19".
When checking the signature, it seems that the file was "Signed on 2017-05-19 11:21 with unknown certificate 0xD72AF3448CC2B034."
However, the above certificate is not listed in this web page:
https://openvpn.net/index.php/open-sour ... n/sig.html
Will you please publish information about that certificate or re-sign the file with a trusted certificate?
Thanks,
Eyal
wrong or missing GPG certificate
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu May 25, 2017 10:21 am
- samuli
- OpenVPN Inc.
- Posts: 49
- Joined: Fri Aug 13, 2010 9:05 pm
Re: wrong or missing GPG certificate
The signature is correct. You probably don't have the security list key in your GPG keyring. Another option is that the application you use to verify the signature is confused. In any case the verification works fine on clean Ubuntu 16.04 system. First import the correct key:
Now the security list key is in the keyring. Next fetch the actual file and signature and verify:
As you can see, it says "Good signature" above.
Code: Select all
$ gpg --list-keys
$ wget --quiet https://swupdate.openvpn.net/community/keys/security.key.asc
$ cat security.key.asc |gpg --import
gpg: keyring `/home/samuli/.gnupg/secring.gpg' created
gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List <security@openvpn.net>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
$ gpg --list-keys
/home/samuli/.gnupg/pubring.gpg
-------------------------------
pub 4096R/2F2B01E7 2017-02-09 [expires: 2027-02-07]
uid OpenVPN - Security Mailing List <security@openvpn.net>
sub 4096R/F6D9F8D7 2017-02-09 [expires: 2018-03-06]
sub 4096R/8CC2B034 2017-02-09 [expires: 2018-03-06]
Code: Select all
$ wget --quiet https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.16-I601-x86_64.exe
$ wget --quiet https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.16-I601-x86_64.exe.asc
$ gpg -v --verify openvpn-install-2.3.16-I601-x86_64.exe.asc
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `openvpn-install-2.3.16-I601-x86_64.exe'
gpg: Signature made Fri 19 May 2017 11:21:50 AM EEST using RSA key ID 8CC2B034
gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7
gpg: using PGP trust model
gpg: Good signature from "OpenVPN - Security Mailing List <security@openvpn.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7
Subkey fingerprint: B596 06E2 D8C6 E10B 80BE 2B31 D72A F344 8CC2 B034
gpg: binary signature, digest algorithm SHA1
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Jun 21, 2017 12:22 pm
signature verification reports BAD signature from OpenVPN - Security Mailing List
Hi,
I downloaded openvpn-2.4.3.tar.gz & .asc and the .xz version with its .asc from the Downloads section and each time I ran $gpg --verify the output resulted in a BAD signature from OpenVPN Security Mailing List. I also used the --recv-keys option from MIT's keyserver and got the same result.
attached is a txt file the console output from attempting to verify both the gz and xz version of the downloads. Whats not in this text is me downloading via Firefox from the OpenVPN Downloads section. I'm running Ubuntu 16.04 latest hwe update, nothing special about it.
I searched and found one post about an earlier version of OpenVPN with similar result and I ran the exact steps outlined in that forum post.
Any directions would be appreciated.
Thanks
I downloaded openvpn-2.4.3.tar.gz & .asc and the .xz version with its .asc from the Downloads section and each time I ran $gpg --verify the output resulted in a BAD signature from OpenVPN Security Mailing List. I also used the --recv-keys option from MIT's keyserver and got the same result.
attached is a txt file the console output from attempting to verify both the gz and xz version of the downloads. Whats not in this text is me downloading via Firefox from the OpenVPN Downloads section. I'm running Ubuntu 16.04 latest hwe update, nothing special about it.
I searched and found one post about an earlier version of OpenVPN with similar result and I ran the exact steps outlined in that forum post.
Any directions would be appreciated.
Thanks
You do not have the required permissions to view the files attached to this post.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: wrong or missing GPG certificate
The signatures were fixed as of 14:30 UTC+1
mattock wrote:Code: Select all
14:31:01 @mattock | signatures should be fixed now
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jun 29, 2017 9:54 am
Re: wrong or missing GPG certificate
Hi,
I downloaded openvpn-install-2.4.3-I601.exe and it has been signed with the unknown D72AF3448CC2B034 certificate.
Can you please clarify if this is correct?
The file has this hash SHA-512: a0da5281a38c2445af1c89f3153be6ced9d419b2e2c94c0326cd0821c6dad682808ada2bba5643754c5c9971b84940f4020163af4053d83ff13e605748cb13f0
I downloaded openvpn-install-2.4.3-I601.exe and it has been signed with the unknown D72AF3448CC2B034 certificate.
Can you please clarify if this is correct?
The file has this hash SHA-512: a0da5281a38c2445af1c89f3153be6ced9d419b2e2c94c0326cd0821c6dad682808ada2bba5643754c5c9971b84940f4020163af4053d83ff13e605748cb13f0
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: wrong or missing GPG certificate
Please download a fresh copy and try again.