Qubes Canary #13
120 views
Skip to first unread message
Andrew David Wong
Sep 29, 2017, 9:31:15 PM9/29/17
to qubes...@googlegroups.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes community,
On 2017-09-12, we published Qubes Canary #13. The text of this canary is
reproduced below. This canary and its accompanying signatures will always be
available in the Qubes Security Pack (qubes-secpack).
View Canary #13 in the qubes-secpack:
<https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-013-2017.txt>
Learn about the qubes-secpack, including how to obtain, verify, and read it:
<https://www.qubes-os.org/security/pack/>
View all past canaries:
<https://www.qubes-os.org/security/canaries/>
```
---===[ Qubes Canary #13 ]===---
Statements
- -----------
The Qubes core developers who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is September 12, 2017.
2. There have been 33 Qubes Security Bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
two weeks of December 2017. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.
Special announcements
- ----------------------
None.
Disclaimers and notes
- ----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
- -------------------
$ date -R -u
Mon, 11 Sep 2017 17:54:05 +0000
$ feedstail -1 -n5 -f '{title}' -u https://www.spiegel.de/international/index.rss
A Shrinking Giant: EU Worries Grow over U.S. Economic Chaos
Iranian Vice President Salehi on Nuclear Deal: 'Our Partners Have More To Lose Than We Do'
Is Moscow Planning Something?: Germany Prepares for Possible Russian Election Meddling
Where Dreams Come to Die: Migrant Path in Europe Ends at Brenner Pass
Stemming the Flow: Why Europe's Migrant Strategy Is an Illusion
$ feedstail -1 -n5 -f '{title}' -u http://rss.nytimes.com/services/xml/rss/nyt/World.xml
Desperation Mounts in Caribbean Islands: ‘All the Food Is Gone’
Mexico Mourns After Quake: ‘We Have No Idea How We Are Going to Rebuild’
Rohingya Crisis in Myanmar Is ‘Ethnic Cleansing,’ U.N. Rights Chief Says
Need to Catch Up on the German Election? Here’s a Guide
U.S. Weakens Resolution on North Korea to Gain Chinese and Russian Support
$ feedstail -1 -n5 -f '{title}' -u http://feeds.bbci.co.uk/news/world/rss.xml
Hurricane Irma: Florida launches huge relief operation
Rohingya crisis: UN sees 'ethnic cleansing' in Myanmar
Catalan independence rally: Thousands gather in Barcelona
Trump on 9/11 anniversary: "Our nation will endure"
Venezuela accuses UN of lying over alleged rights abuses
$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
U.N. Security Council to vote Monday on weakened North Korea sanctions: diplomats
Afghanistan will never again be militant sanctuary: U.S. ambassador
U.N. rights boss sees possible "crimes against humanity" in Venezuela
Russia, Jordan agree to speed de-escalation zone in south Syria
U.N. brands Myanmar violence a 'textbook' example of ethnic cleansing
$ curl -s 'http://blockchain.info/blocks/?format=json'
$ python3 -c 'import sys, json; print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
00000000000000000052fe6212dab65bf03f15711c74c835fd6d42802f8cae51
Footnotes
- ----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZzvPUAAoJENtN07w5UDAwLDoQAIKnlk4bcsLn5G3iXk36kzIO
YQxTuuZAd5NRCqz2xyNKkPpTA5KZeB8b9XOSp4kVeOBfamTr7DXmMRLbF/sIDCCz
GeBS7ZBCyCnjxbPhVGPCw8Y/hnYp+yeM+nf4Zjxe5xiunpuFl4cGITdU+Ft9nyA+
14LXYrcMo0B3lg2MUkbH4u1hHfH1QwUwXde8wbVSirqXR8nm95wUYZzubnaJKrIu
Q86oh6z8cQbocLhMotvG+pRnWJ0TTzJC02H8oH4E6VekYDuOjAmFlREEXFLYKOim
dJb3EoxWee+dBrs8TuDW7TRwp8pdsaVoOgZ6j7kUR04iSvu44a2UxVQSHc1PKnuQ
pVgOIp91TpD92hIjm9zurdQPIok4oM51PqAdbOhiRx5msQd5Vi7+EhlaJ8x8/15J
A9r6WPTRUYRL+JlknRyBTb//mlsmXOiqJWY00Fax0skvZax8DfoecQW5KN3uLj8r
VMh42ocI0ezXMor9SWZnrQHYZpBOWF5F4CW+7FUSuGJ8SgO+at8q1Dh+rvu1kDnX
8r/uDyV1+KARHGzlq7/zrl+zTgSeBjfGQOEPShiLMUolm/xL+UupG/B2RIXx9NbJ
2wJFjoVl3HCbGeyqXNV2eQdhKz4ZnN6KNDVK2QLLTO7eFR8fu71K2m+T2UDV4Wum
uYCK6e3wqpBryGRKMv9F
=bag3
-----END PGP SIGNATURE-----
Hash: SHA512
Dear Qubes community,
On 2017-09-12, we published Qubes Canary #13. The text of this canary is
reproduced below. This canary and its accompanying signatures will always be
available in the Qubes Security Pack (qubes-secpack).
View Canary #13 in the qubes-secpack:
<https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-013-2017.txt>
Learn about the qubes-secpack, including how to obtain, verify, and read it:
<https://www.qubes-os.org/security/pack/>
View all past canaries:
<https://www.qubes-os.org/security/canaries/>
```
---===[ Qubes Canary #13 ]===---
Statements
- -----------
The Qubes core developers who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is September 12, 2017.
2. There have been 33 Qubes Security Bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
two weeks of December 2017. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.
Special announcements
- ----------------------
None.
Disclaimers and notes
- ----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Qubes-related data, in
particular, software updates, source code repositories, and Qubes ISO
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
- -------------------
$ date -R -u
Mon, 11 Sep 2017 17:54:05 +0000
$ feedstail -1 -n5 -f '{title}' -u https://www.spiegel.de/international/index.rss
A Shrinking Giant: EU Worries Grow over U.S. Economic Chaos
Iranian Vice President Salehi on Nuclear Deal: 'Our Partners Have More To Lose Than We Do'
Is Moscow Planning Something?: Germany Prepares for Possible Russian Election Meddling
Where Dreams Come to Die: Migrant Path in Europe Ends at Brenner Pass
Stemming the Flow: Why Europe's Migrant Strategy Is an Illusion
$ feedstail -1 -n5 -f '{title}' -u http://rss.nytimes.com/services/xml/rss/nyt/World.xml
Desperation Mounts in Caribbean Islands: ‘All the Food Is Gone’
Mexico Mourns After Quake: ‘We Have No Idea How We Are Going to Rebuild’
Rohingya Crisis in Myanmar Is ‘Ethnic Cleansing,’ U.N. Rights Chief Says
Need to Catch Up on the German Election? Here’s a Guide
U.S. Weakens Resolution on North Korea to Gain Chinese and Russian Support
$ feedstail -1 -n5 -f '{title}' -u http://feeds.bbci.co.uk/news/world/rss.xml
Hurricane Irma: Florida launches huge relief operation
Rohingya crisis: UN sees 'ethnic cleansing' in Myanmar
Catalan independence rally: Thousands gather in Barcelona
Trump on 9/11 anniversary: "Our nation will endure"
Venezuela accuses UN of lying over alleged rights abuses
$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
U.N. Security Council to vote Monday on weakened North Korea sanctions: diplomats
Afghanistan will never again be militant sanctuary: U.S. ambassador
U.N. rights boss sees possible "crimes against humanity" in Venezuela
Russia, Jordan agree to speed de-escalation zone in south Syria
U.N. brands Myanmar violence a 'textbook' example of ethnic cleansing
$ curl -s 'http://blockchain.info/blocks/?format=json'
$ python3 -c 'import sys, json; print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
00000000000000000052fe6212dab65bf03f15711c74c835fd6d42802f8cae51
Footnotes
- ----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the qubes-secpack.git repo, and (2) via digital signatures
on the corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
```
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZzvPUAAoJENtN07w5UDAwLDoQAIKnlk4bcsLn5G3iXk36kzIO
YQxTuuZAd5NRCqz2xyNKkPpTA5KZeB8b9XOSp4kVeOBfamTr7DXmMRLbF/sIDCCz
GeBS7ZBCyCnjxbPhVGPCw8Y/hnYp+yeM+nf4Zjxe5xiunpuFl4cGITdU+Ft9nyA+
14LXYrcMo0B3lg2MUkbH4u1hHfH1QwUwXde8wbVSirqXR8nm95wUYZzubnaJKrIu
Q86oh6z8cQbocLhMotvG+pRnWJ0TTzJC02H8oH4E6VekYDuOjAmFlREEXFLYKOim
dJb3EoxWee+dBrs8TuDW7TRwp8pdsaVoOgZ6j7kUR04iSvu44a2UxVQSHc1PKnuQ
pVgOIp91TpD92hIjm9zurdQPIok4oM51PqAdbOhiRx5msQd5Vi7+EhlaJ8x8/15J
A9r6WPTRUYRL+JlknRyBTb//mlsmXOiqJWY00Fax0skvZax8DfoecQW5KN3uLj8r
VMh42ocI0ezXMor9SWZnrQHYZpBOWF5F4CW+7FUSuGJ8SgO+at8q1Dh+rvu1kDnX
8r/uDyV1+KARHGzlq7/zrl+zTgSeBjfGQOEPShiLMUolm/xL+UupG/B2RIXx9NbJ
2wJFjoVl3HCbGeyqXNV2eQdhKz4ZnN6KNDVK2QLLTO7eFR8fu71K2m+T2UDV4Wum
uYCK6e3wqpBryGRKMv9F
=bag3
-----END PGP SIGNATURE-----
d5o...@gmail.com
Nov 17, 2017, 2:47:06 PM11/17/17
to qubes-users
$ cd qubes-secpack
$ git tag -v 'git describe'
error: tag 'git describe' not found.
Have I done something wrong here? Next, I did a git tag -l to get a list of tags to try to verify individually. Here is what followed:
$ git tag -v adw_5e2cf51c
object 5e2cf51ce18b1017de9fd73ce235b366271c98ec
type commit
tag adw_5e2cf51c
tagger Andrew David Wong <adw@[deleted for privacy]> 1491306927 -0700
Tag for commit 5e2cf51ce18b1017de9fd73ce235b366271c98ec
gpg: Signature made Tue 04 Apr 2017 04:55:27 AM PDT using RSA key ID 39503030
gpg: Good signature from "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>"
gpg: aka "Andrew David Wong <adwong@[deleted for privacy]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BBAF 910D 1BC9 DDF4 1043 629F BC21 1FCE E9C5 4C53
Subkey fingerprint: 650E EB09 85F4 8F78 5E9C 61F5 DB4D D3BC 3950 3030
The signature is good, but the key is not certified with a trusted signature. Can you please explain this? The only signature that I have elevated trust on is the Qubes Master Signing Key.
Jean-Philippe Ouellet
Nov 17, 2017, 6:09:03 PM11/17/17
to d5o...@gmail.com, qubes-users
Gordon Rice
Nov 17, 2017, 8:38:16 PM11/17/17
to qubes-users
Thank you for the answer to the first question. The back ticks took care of not finding the file. The warning pops up for the `git describe` now though:
$ git tag -v `git describe`
object 8567fa1b877d5afa5789448a0027717a44329cd3
type commit
tag adw_8567fa1b
tagger Andrew David Wong <adw@[deleted for privacy]>> 1510443087 -0600
Tag for commit 8567fa1b877d5afa5789448a0027717a44329cd3
gpg: Signature made Sat 11 Nov 2017 03:31:27 PM PST using RSA key ID 39503030
gpg: Good signature from "Andrew David Wong <adw@[deleted for privacy]>>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>>"
gpg: aka "Andrew David Wong <adw@[deleted for privacy]>>"
gpg: aka "Andrew David Wong <adwong@[deleted for privacy]>>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BBAF 910D 1BC9 DDF4 1043 629F BC21 1FCE E9C5 4C53
Subkey fingerprint: 650E EB09 85F4 8F78 5E9C 61F5 DB4D D3BC 3950 3030
$
Again, the signature is good, but the key is not certified. What are the implications of this message?
Unman
Nov 17, 2017, 8:39:07 PM11/17/17
to d5o...@gmail.com, qubes-users
have been asked before, and the reason is probably that most of the
Qubes team are using split-gpg (www.qubes-os.org/doc/split-gpg) with
subkeys. If you review that page then you will see that one of the
downsides of using subkeys is that it's not possible to sign other
people's keys.
This doesnt mean that you cant trust Andrew's key - there are many
things you can do to check that it is the right key and belongs to him.
What you cant do is hand off that process of establishing trust to some
one else (and that is what the web of trust does).
Hope that's somewhat clear
unman
Gordon Rice
Nov 17, 2017, 8:56:16 PM11/17/17
to qubes-users
>
> The warning is evident: Andrew's key is not signed. Questions about this
> have been asked before, and the reason is probably that most of the
> Qubes team are using split-gpg (www.qubes-os.org/doc/split-gpg) with
> subkeys. If you review that page then you will see that one of the
> downsides of using subkeys is that it's not possible to sign other
> people's keys.
>
> This doesnt mean that you cant trust Andrew's key - there are many
> things you can do to check that it is the right key and belongs to him.
> What you cant do is hand off that process of establishing trust to some
> one else (and that is what the web of trust does).
>
> Hope that's somewhat clear
>
> unman
> The warning is evident: Andrew's key is not signed. Questions about this
> have been asked before, and the reason is probably that most of the
> Qubes team are using split-gpg (www.qubes-os.org/doc/split-gpg) with
> subkeys. If you review that page then you will see that one of the
> downsides of using subkeys is that it's not possible to sign other
> people's keys.
>
> This doesnt mean that you cant trust Andrew's key - there are many
> things you can do to check that it is the right key and belongs to him.
> What you cant do is hand off that process of establishing trust to some
> one else (and that is what the web of trust does).
>
> Hope that's somewhat clear
>
> unman
Perfectly clear. I had noticed the subkey, but hadn't connected the dots. Thank you for taking the time to answer.
Andrew David Wong
Nov 17, 2017, 9:31:51 PM11/17/17
to Gordon Rice, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
sources that may be helpful in establishing the validity of my key, in
case you're interested:
https://www.qubes-os.org/team/#andrew-david-wong (fingerprint)
https://andrewdavidwong.com/ (fingerprint)
https://andrewdavidwong.com/adw.asc (key)
https://andrewdavidwong.com/fingerprints.txt (signed statement of other fingerprints)
https://keybase.io/adw (fingerprint, key, and social media proofs)
https://github.com/andrewdavidwong/keys (keys)
We always strongly recommend reading this (if you haven't already):
https://www.qubes-os.org/security/verifying-signatures/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
vh7u3+8Ey6hUBrhOF/l8W6Fms6xfOgewo45tOiREVkAva/rCTw3wQTrCffKYLUhi
QQyldLlqReMTsd6XVGCXJ3OL7uyiCN7uonliFCqx1cRbX9h1lLzIvK+pg6kIp9+R
IoJfQFSWffuOeajlp4QXNYDlLp3ezEf+9GA6AIZnaIdv4WzZ9kbG7KG6VmfrVkfH
cqH0rvF/mzb+LzkKmbyqfl5cs9zD4Gy+Ozuse5xDq/csr+LW6w/GhE9x1M/4EHak
aweMHx8dQULQ31mqcs7p20kVYqtaXws3ur981VaqE1WLmQT13KheS6wrpej7cSyN
jWkYr+QZiCdv8IxZ0yyVL1AqoBJ7jFj9tRwCS7Voh2CAS1uWOJLM6Xo/9yG9X6tj
PAyXn+BXegk4LdO4wipuL5fX212zn8PasDZwNYtr01zlPPQpLKPtVtfNKVyJnY75
FjyIi1H4Gllc8VcfCy3kEvg/SCLPWR/ijdF6VeBGQCksMxT+CPWX6fpG4p3u+pzr
Wb38Zfb0jMqpOS+Rds67qIt0DoknCQR18iJQY1d2fDHmvlmhxO5KNuOef3AzdnXc
mlR+myyoYnnR8u4bZYwH6gb2rP575CfV6uC68bF596WiE0R0bt466vUd5hyqaR7A
ngz9hXVOciQIqqIjjx7Y
=HxBu
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages