key ID 57E37087 vs BA8F038D [Archive] - Download Knoppix Live CD or DVD, Get Documentation and Help

View Full Version : key ID 57E37087 vs BA8F038D

johnhectorfrink

02-19-2006, 03:49 AM

I have downloaded KNOPPIX_V4.0.2DVD-2005-09-23-EN.iso and the corresponding
md5, sha1, and asc files via:

http://knopper.net/knoppix-mirrors/download.php?lang=en&link=rsync://ftp.uni-kl.de/knoppix-dvd

When I use gpg, I get this information (after I have retreived the identified key):

gpg: Signature made Sat Sep 24 15:59:30 2005 NZST using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

Now, the Downloading FAQ leads me to expect a key ID of BA8F038D.

So, what is the story here?

gregk

02-19-2007, 07:35 PM

On trying to verify KNOPPIX_V5.1.1DVD-2007-01-04-EN.iso.md5.asc I also get DSA key ID 57E37087 - not the expected one. Would really like to know what's going on here...

gregk

02-21-2007, 09:21 AM

going to keyserver.net and looking for knoppix lists:

Klaus Knopper <knopper@knopper.net> 0x57E37087 1024/1024 2000/05/06 Never

So apparently somebody claiming to be Klaus registered that key back in 2000. Still it's odd that there are so few references to that key on the net.

mennucc1

11-27-2007, 03:11 PM

In my gpg keyring, it appears that
key BA8F038D is signed by key 57E37087 ;
but key 57E37087 is not signed by key BA8F038D.

Moreover,
$ gpg --verify KNOPPIX_V5.1.1DVD-2007-01-04-EN.iso.md5.asc
gpg: Signature made ven 05 gen 2007 04:15:35 CET using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

So, verifying the downloaded image by using key 57E37087 does not provide any security at all.

I could imagine a situation like this:
Mr Knopper builds Knoppix and signs the image with key BA8F038D ;
the attacker creates a key 57E37087 and it signs BA8F038D with it,
the attacker tampers Knoppix and signs with 57E37087.

I know this sounds a bit paranoid; but I will feel safer if Mr Knopper may post the gpg fingerprint of both keys in the FAQ.