Re: [libreoffice-conference] Keysigning key submission period closed, keylist published

Pete Stephenson <pete -AT- heypete.com>
Tue, 2 Sep 2014 16:19:31 +0200

On Tue, Sep 2, 2014 at 3:36 PM, Italo Vignoli <italo.vignoli@gmail.com> wrote:

Pete Stephenson wrote:

Users should download the keylist (which is also signed by my PGP key,
0x85EB9F44), compute the SHA256 and RIPEMD160 hashes of the list in
accordance with the directions, print out the last, and write the
hashes they computed in pen on the list. These hashes will then be
compared with the hash computed by me, which I will display at the
KSP. This way people can be assured that the list they printed out
matches precisely with the official list and there's been no
modifications.


This is beyond my technical skills. I have uploaded the key to the
keyserver, using the Terminal, but this has already represented a huge
effort on my side. I do not use the Terminal, as I am a normal user, so
I will be coming to the party but do not expect hashes (maybe ashes...)
from me.


Hi Italo (and others attending the conference and KSP),

Command-line GPG commands can be arcane and daunting if you're not
familiar with it. Sorry. :/

I was going to write up some detailed how-to guides with images and
put them online, but I've been a bit busy with a new baby and haven't
had the time yet. I'll try to have some guides up later tonight.

I'll try to explain how to download and calculate the hashes on the
keylist in a step-by-step manner for the Mac. Fortunately, it only
involves executing three commands from the terminal which you can
copy-paste from this message.

1. Open the Terminal.

2. Download the keylist by executing the following command in the Terminal:

curl "https://libo2014.keysigning.ch/files/ksp-libo2014.txt"; -o ksp-libo2014.txt

That command will download the keylist and save it as
"ksp-libo2014.txt" in your home directory. Keep the Terminal open for
the time being.

3. Open the keylist file in a text editor (TextEdit is the default
text editor for Mac OS X) and print it out. (I assume that you know
how to open and print text files.) After printing it, close TextEdit.

4. Back in the Terminal, compute the hashes of the keylist by running
these two commands one after the other:

gpg --print-md SHA256 ksp-libo2014.txt

gpg --print-md RIPEMD160 ksp-libo2014.txt

You should hand-write the hashes in the spaces provided in the printed
keylist and bring it with you to the keysigning party. At the party
I'll display the hashes I calculated when the keylist was generated --
they should match exactly with those that you've computed.

This provides a strong assurance that the keylist you printed out is
exactly the same as the official one and makes life considerably
easier: rather than verifying the fingerprint on each key separately,
you'd just need to verify (1) that your key's fingerprint on the list
is correct, (2) the hashes of your copy of the list match the hashes I
display at the keysigning party, and (3) each person on the list
attests at the keysigning party that their fingerprint on the list is
correct.

Here's an example of what it looks like from my terminal (I'm using
Linux, but it should look essentially the same for a Mac):

pete@kaylee ~ $ curl
"https://libo2014.keysigning.ch/files/ksp-libo2014.txt"; -o
ksp-libo2014.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10933  100 10933    0     0  58082      0 --:--:-- --:--:-- --:--:-- 79224
pete@kaylee ~ $ gpg --print-md SHA256 ksp-libo2014.txt
ksp-libo2014.txt: EXAMPLE1 EXAMPLE1 EXAMPLE1 EXAMPLE1 EXAMPLE1 EXAMPLE1 EXAMPLE1
                         EXAMPLE1
pete@kaylee ~ $ gpg --print-md RIPEMD160 ksp-libo2014.txt
ksp-libo2014.txt: EXAM PLE2 EXAM PLE2 EXAM PLE2 EXAM PLE2 EXAM PLE2

Hopefully that straightens things out a bit. If you have any other
questions, let me know.

Cheers!
-Pete

-- 
Pete Stephenson

-- 
To unsubscribe e-mail to: conference+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/conference/
All messages sent to this list will be publicly archived and cannot be deleted

Context

[libreoffice-conference] Keysigning key submission period closed, keylist published · Pete Stephenson
- Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Italo Vignoli
  - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Pete Stephenson
    - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Italo Vignoli
      - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Pete Stephenson
      - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Pete Stephenson
  - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Tobias Mueller
    - Re: [libreoffice-conference] Keysigning key submission period closed, keylist published · Italo Vignoli

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.