Unable to verify GPG key

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
vertigo
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 15, 2018 12:18 am

Unable to verify GPG key

Post by vertigo » Fri Mar 16, 2018 5:16 pm

I downloaded openvpn-install-2.4.5-I601.exe and have been trying, unsuccessfully, to verify it with the key. I've tried importing the key both by server lookup and using the security.key.asc. I just get the following message in Kleopatra (Gpg4win):

Code: Select all

Verified ‘openvpn-install-2.4.5-I601.exe’ with ‘openvpn-install-2.4.5-I601.exe.asc’: 
The data could not be verified.

Signature created on Thursday, March 01, 2018 3:53:30 AM
With certificate:
F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7
The signature is invalid: Signing certificate is expired
GPA (GNU Privacy Assistant) gives me a similar expired key error.

From what I can tell, this is caused by 2/5 of the subkeys (F80E8008F6D9F8D7 & D72AF3448CC2B034) being expired. But if I delete the expired subkeys, Kleopatra gives me this message:

Code: Select all

Verified ‘openvpn-install-2.4.5-I601.exe’ with ‘openvpn-install-2.4.5-I601.exe.asc’: 
The data could not be verified.

Signature created on Thursday, March 01, 2018 3:53:30 AM
With unavailable certificate:
ID: 0xD72AF3448CC2B034
You can search the certificate on a keyserver or import it from a file.
So the first message seems to indicate it's trying to validate with the 01E7 certificate, which is NOT expired, but failing due to the presence of expired certificates, yet the second message seems to be showing that once the expired ones are removed, it's trying to use one of them (B034). So basically, there appears to be no way to verify.

I doubt it's needed, but here's the key info:

Code: Select all

pub  rsa4096/12F5F7B42F2B01E7
     created: 2017-02-09  expires: 2027-02-07  usage: SC
     trust: full          validity: full
sub  rsa4096/F80E8008F6D9F8D7
     created: 2017-02-09  expired: 2018-03-06  usage: E
sub  rsa4096/D72AF3448CC2B034
     created: 2017-02-09  expired: 2018-03-06  usage: S
sub  rsa4096/F132B1CBAF131CAE
     created: 2018-03-07  expires: 2019-03-07  usage: S
sub  rsa4096/0A24DFCF907F94CF
     created: 2018-03-07  expires: 2019-03-07  usage: E
[  full  ] (1). OpenVPN - Security Mailing List <security@openvpn.net>
Also, and I'm still fairly new with all this so please correct me if I'm wrong, but doesn't having the signature and the download on the same server make it useless? If openvpn.net was hacked and the program replaced with a malicious version, couldn't the hacker also just change the .asc file and the signature info? And, unless I missed it, there's no checksums, so you can verify the download is legitimate, but not that it's intact (not corrupt). Am I missing something?

As a side note, my 32 character, 194-bit randomly generated password containing letters, numbers, and symbols that I created to register for this site is "weak" according to it. I don't think so. There's clearly something not right with whatever algorithm is used to determine that.

vertigo
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 15, 2018 12:18 am

Re: Unable to verify GPG key

Post by vertigo » Tue Mar 20, 2018 8:43 pm

Not sure why this post was moved to this subforum, but I don't see this as an installation issue at all. I presume it will install just fine, I'd just like to be able to verify the file is what it's supposed to be first, something I would think a security-oriented app would take very seriously.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4295
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to verify GPG key

Post by TinCanTech » Wed Mar 21, 2018 9:58 pm

Openvpn do take the security very seriously but for some reason nobody has documented these steps.

Here is what I have:
https://openvpn.net/index.php/open-sour ... n/sig.html
https://community.openvpn.net/openvpn/w ... Signatures

I cannot vouch for the validity of those documents because I know there have been some recent changes.

Related:
https://www.gnupg.org/gph/en/manual/x334.html

You might find the users mailing list more helpful on this occasion.

vertigo
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 15, 2018 12:18 am

Re: Unable to verify GPG key

Post by vertigo » Wed Mar 21, 2018 10:43 pm

Thanks. I'd already seen and read all those links, though since the second one lists Samuli Seppänen's new key as also being used to sign the Windows installer, I tried it as well, but no dice. And I wouldn't even know where to start in using the mailing list to get help on this, and taking a quick look around on it just had me going in circles with links I had to manually edit to make work because they weren't posted correctly. All of this basically culminates into a lack of trust in this project, if they can't/won't get such basic things right and make the download verifiable.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4295
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to verify GPG key

Post by TinCanTech » Thu Mar 22, 2018 8:15 pm

vertigo wrote:
Wed Mar 21, 2018 10:43 pm
All of this basically culminates into a lack of trust in this project, if they can't/won't get such basic things right and make the download verifiable.
I believe your expectations here maybe inaccurate .. allow me to show you why.

As much as you like to believe in the safety of HTTPS you need to understand this:
https://www.grc.com/fingerprints.htm

Once you understand that, you will realise that Openvpn is as much at the mercy of such practice as any other website.

So, instead of providing poor solutions to such a complex problem, Openvpn provide a superior solution, albeit extremely technical and probably beyond the scope of many, many users.

Also, you can download and compile the source yourself, which is not as difficult as you might expect.

Lastly, Openvpn very rarely get complaints about a lack of trust .. I can't even remember the last such complaint.

However, as this is a user support forum, any user can reply and could (if they chose) post this info:

Code: Select all

SHA512(openvpn-install-2.4.5-I601.exe)= 613941791da88123f10d0cae9cf3aaba1b82ff4332e2e2a21da1b0d1bd1fcbbdb9ac77ce9354369df9640dbfdcd82de0e1ac27e7a9b9e7964c9a53791abfdd97
But now you know .. this may or may not be true. :mrgreen:

vertigo
OpenVpn Newbie
Posts: 4
Joined: Thu Mar 15, 2018 12:18 am

Re: Unable to verify GPG key

Post by vertigo » Thu Mar 22, 2018 9:02 pm

I may be misunderstanding since, as I said, I'm still fairly new to all this, but the page you linked is dealing with encrypted website connections and the ability of companies to fake them. I was already aware of most of the content on that page, and somewhat aware that companies could do stuff like that, but I don't know how that all relates to this topic, or the checksum you posted, for that matter. My issue isn't whether my connection to the website is being tampered with (I'm on my personal home computer), nor is it with verifying the integrity of the file (the checksum). It's with verifying the authenticity of the file. I already know the file I downloaded isn't corrupt, but I'd like to know that it isn't compromised. That's why I'm trying to check it with the PGP key, which isn't working. And my other point, besides the fact that it's broken (seemingly due to the fact a couple of the subkeys have expired and aren't being renewed), is that keeping the file and the key on the same server seems to do little good in the event the server is compromised, because then an illicit version of the file, along with a modified keyfile and fingerprint, could be uploaded. That is, they could remove the valid one and put their own up, which is made to look valid. By placing the file and/or key on multiple servers, it protects against this because one can be downloaded from one source and the other from a different server. Or am I completely wrong about all of that?

The bottom line, though, is that I cannot currently verify it with the signature, legitimate or not, and, unless I'm just doing something wrong, others must be unable to as well, and for a program who's reason for existing is to provide privacy and security, this just seems like a massive issue. But again, maybe I'm wrong, in which case, it would be nice to at least know that, and know why. I hope that makes sense, and thank you for responding.

As for the link you posted, do you mean to say that even using OpenVPN, if browsing on a company network that does this, the company would still be able to see all the traffic? What about if you were to use a different browser, perhaps a portable one? Fortunately, this isn't an issue I have to worry about, but it's still interesting.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4295
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to verify GPG key

Post by TinCanTech » Thu Mar 22, 2018 10:27 pm

I shall be brief ..

We do not support the products you are using for verification.
Please seek the associated documentation from the appropriate source.

If you follow the instructions I have indicated above you will be able to verify the following:

Code: Select all

me@home ~/Downloads/openvpn $ gpg -v --verify openvpn-install-2.4.5-I601.exe.asc openvpn-install-2.4.5-I601.exe
gpg: Signature made Thu 01 Mar 2018 08:53:30 GMT using RSA key ID 8CC2B034
gpg: NOTE: signature key 8CC2B034 expired Tue 06 Mar 2018 12:17:50 GMT
gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7
gpg: NOTE: signature key 8CC2B034 expired Tue 06 Mar 2018 12:17:50 GMT
gpg: NOTE: signature key 8CC2B034 expired Tue 06 Mar 2018 12:17:50 GMT
gpg: using PGP trust model
gpg: Good signature from "OpenVPN - Security Mailing List <security@openvpn.net>"
gpg: NOTE: signature key 8CC2B034 expired Tue 06 Mar 2018 12:17:50 GMT
gpg: Note: This key has expired!
Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
     Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
gpg: binary signature, digest algorithm SHA256
NOTE:
* Linux required
* Key expiry confirmed
* Output not tampered with (but you can confirm that yourself)

For the record:
TinCanTech wrote:
Thu Mar 22, 2018 8:15 pm
SHA512(openvpn-install-2.4.5-I601.exe)= 613941791da88123f10d0cae9cf3aaba1b82ff4332e2e2a21da1b0d1bd1fcbbdb9ac77ce9354369df9640dbfdcd82de0e1ac27e7a9b9e7964c9a53791abfdd97
Yes, I deliberately tampered with this .. to prove a point.

Post Reply