Monero: Improving pgp security

Created on 20 Nov 2019 · 5Comments · Source: monero-project/monero

I suggest adding the fluffypony.asc signature key and SHA256 sums on Monero binaries to txt domain record getmonero.org
The substitution can be recognized by the changed serial number of the zone.

Source

mendisobal

Most helpful comment

My full GPG key is in the Monero source tree, which already provides an out-of-band record. I don’t think GPG-over-DNS is a standard, otherwise that certainly be novel, but largely pointless as we already use DNSSEC-signed TXT records of the file hashes for the auto-updater, no GPG needed.

fluffypony on 20 Nov 2019

👍3

All 5 comments

fluffypony on 20 Nov 2019

👍3

My full GPG key is in the Monero source tree, which already provides an out-of-band record. I don’t think GPG-over-DNS is a standard, otherwise that certainly be novel, but largely pointless as we already use DNSSEC-signed TXT records of the file hashes for the auto-updater, no GPG needed.

I've imported your key from https://github.com/monero-project/monero/blob/master/utils/gpg_keys/fluffypony.asc
When I try to verify the signed message in https://web.getmonero.org/downloads/hashes.txt I get "Key NOT valid" as the status.

wartjugger on 21 Nov 2019

@wartjugger - Are you following these guides?

https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html (Windows)

https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html (Linux & Mac OS)

dEBRUYNE-1 on 21 Nov 2019

👍1

@wartjugger - Are you following these guides?

https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html (Windows)

https://src.getmonero.org/resources/user-guides/verification-allos-advanced.html (Linux & Mac OS)

Ok, it's working with the Linux guide. I was using GNU Privacy Assistant without setting a trust level.

wartjugger on 21 Nov 2019

No bug here.