wrong or missing GPG certificate

All comments and questions related to the functionality of the OpenVPN web pages and forum should go here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
eyalarg
OpenVpn Newbie
Posts: 1
Joined: Thu May 25, 2017 10:21 am

wrong or missing GPG certificate

Post by eyalarg » Thu May 25, 2017 12:23 pm

I have downloaded openvpn-install-2.3.16-I601-x86_64.exe from this web page:
https://openvpn.net/index.php/download/ ... loads.html
It is listed in the section of "OpenVPN 2.3.16 (old stable) -- released on 2017.05.19".

When checking the signature, it seems that the file was "Signed on 2017-05-19 11:21 with unknown certificate 0xD72AF3448CC2B034."
However, the above certificate is not listed in this web page:
https://openvpn.net/index.php/open-sour ... n/sig.html

Will you please publish information about that certificate or re-sign the file with a trusted certificate?
Thanks,
Eyal

User avatar
samuli
OpenVPN Inc.
Posts: 49
Joined: Fri Aug 13, 2010 9:05 pm

Re: wrong or missing GPG certificate

Post by samuli » Thu May 25, 2017 5:27 pm

The signature is correct. You probably don't have the security list key in your GPG keyring. Another option is that the application you use to verify the signature is confused. In any case the verification works fine on clean Ubuntu 16.04 system. First import the correct key:

Code: Select all

$ gpg --list-keys
$ wget --quiet https://swupdate.openvpn.net/community/keys/security.key.asc
$ cat security.key.asc |gpg --import
gpg: keyring `/home/samuli/.gnupg/secring.gpg' created
gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List <security@openvpn.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
$ gpg --list-keys
/home/samuli/.gnupg/pubring.gpg
-------------------------------
pub   4096R/2F2B01E7 2017-02-09 [expires: 2027-02-07]
uid                  OpenVPN - Security Mailing List <security@openvpn.net>
sub   4096R/F6D9F8D7 2017-02-09 [expires: 2018-03-06]
sub   4096R/8CC2B034 2017-02-09 [expires: 2018-03-06]
Now the security list key is in the keyring. Next fetch the actual file and signature and verify:

Code: Select all

$ wget --quiet https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.16-I601-x86_64.exe
$ wget --quiet https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.16-I601-x86_64.exe.asc
$ gpg -v --verify openvpn-install-2.3.16-I601-x86_64.exe.asc 
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `openvpn-install-2.3.16-I601-x86_64.exe'
gpg: Signature made Fri 19 May 2017 11:21:50 AM EEST using RSA key ID 8CC2B034
gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7
gpg: using PGP trust model
gpg: Good signature from "OpenVPN - Security Mailing List <security@openvpn.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
     Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
gpg: binary signature, digest algorithm SHA1
As you can see, it says "Good signature" above.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

sturbs
OpenVpn Newbie
Posts: 1
Joined: Wed Jun 21, 2017 12:22 pm

signature verification reports BAD signature from OpenVPN - Security Mailing List

Post by sturbs » Wed Jun 21, 2017 12:32 pm

Hi,
I downloaded openvpn-2.4.3.tar.gz & .asc and the .xz version with its .asc from the Downloads section and each time I ran $gpg --verify the output resulted in a BAD signature from OpenVPN Security Mailing List. I also used the --recv-keys option from MIT's keyserver and got the same result.
attached is a txt file the console output from attempting to verify both the gz and xz version of the downloads. Whats not in this text is me downloading via Firefox from the OpenVPN Downloads section. I'm running Ubuntu 16.04 latest hwe update, nothing special about it.
I searched and found one post about an earlier version of OpenVPN with similar result and I ran the exact steps outlined in that forum post.
Any directions would be appreciated.
Thanks
You do not have the required permissions to view the files attached to this post.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: wrong or missing GPG certificate

Post by TinCanTech » Wed Jun 21, 2017 2:34 pm

The signatures were fixed as of 14:30 UTC+1
mattock wrote:

Code: Select all

14:31:01   @mattock | signatures should be fixed now

openvpn123456
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 29, 2017 9:54 am

Re: wrong or missing GPG certificate

Post by openvpn123456 » Thu Jun 29, 2017 10:01 am

Hi,
I downloaded openvpn-install-2.4.3-I601.exe and it has been signed with the unknown D72AF3448CC2B034 certificate.
Can you please clarify if this is correct?

The file has this hash SHA-512: a0da5281a38c2445af1c89f3153be6ced9d419b2e2c94c0326cd0821c6dad682808ada2bba5643754c5c9971b84940f4020163af4053d83ff13e605748cb13f0

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: wrong or missing GPG certificate

Post by TinCanTech » Thu Jun 29, 2017 11:37 am

Please download a fresh copy and try again.

Locked