You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by bob <to...@excite.com> on 2007/01/30 23:10:16 UTC

keys, security on downloads




All,

I'm an admitted security gumbie, but I do have some questions regarding the download security mechanisms on the struts site.  Note, they are pretty much similar to those found on other similar sites so I'm not picking on anyone.  In fact, I just want someone to explain to me how it all works. 

I just downloaded the struts 2 source code.  I also downloaded the KEYS, initialized my keystore ( GPG ), and then verified the download.  It tells me that one of the signuatres is GOOD, which I assume means that the download's signature matches one of the signatures from my new keystore/db, Ted Husted's in this case.  Then it goes on to tell me that the signature's authenticity ( right word? ) is not necessarily known.  In other, words this might not actually be T.H. who signed the thing.  Output from signing follows at end of this message.

So, as I understand all this cryptography stuff, this all means that since we didn't download the keys in a secure method, and since they aren't in certificates, we can match the keys we have to the signatures we get, but its all kind of on a shakey foundation since the original keystore could have been built on malicious keys.  This is similar to getting a SSH login to a remote host for which you have not obtained a key through a secure method prior to starting the current session: SSH lets you go ahead and just pull the key over at that time, and go on if you wish.    

My question is:  Is this accepted as good enough?  I'm not saying it isn't, I just asking if this is supposed to be good enough?  Or is it just too difficult to do something more?  

:~/Desktop $ gpg --verify struts-2.0.1-src.zip.asc
gpg: Signature made Tue 10 Oct 2006 04:41:51 PM MDT using DSA key ID C969F74A
gpg: Good signature from "Ted Husted (Release Manager) <hu...@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B6 016C 356A 70F3 E9B8  DACA 1ADC E843 C969 F74A


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org