[jitsi-users] Jitsi package PGP signatures


#1

Hello.

I'd like to request that you improve the Jitsi package security a bit.
For example the stable debian build line does not seem to offer any
package PGP signatures https://download.jitsi.org/jitsi/debian/
But the nightly line does: https://download.jitsi.org/jitsi/nightly/debian/
It appears to be using a 1024 DSA key EB0AB654 to sign the downloads.
Could you please upgrade this to a 4096 version, and have some trusted
signatures added to the public key? I'd sleep much better knowing it
has not been intercepted and replaced by the NSA. Call me paranoid.

Thanks.


#2

Hi,

I'm sure we are signing both repositories the same way, even the
packages that go into stable has been in nightly before that, they are
not separatly build. We will soon change the key in order to provide
one that is on a public keyserver and is trusted.

Regards
damencho

···

On Thu, Feb 6, 2014 at 2:34 PM, Cpp <tzornik@gmail.com> wrote:

Hello.

I'd like to request that you improve the Jitsi package security a bit.
For example the stable debian build line does not seem to offer any
package PGP signatures https://download.jitsi.org/jitsi/debian/
But the nightly line does: https://download.jitsi.org/jitsi/nightly/debian/
It appears to be using a 1024 DSA key EB0AB654 to sign the downloads.
Could you please upgrade this to a 4096 version, and have some trusted
signatures added to the public key? I'd sleep much better knowing it
has not been intercepted and replaced by the NSA. Call me paranoid.

Thanks.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Hi Damian,

I brought this up a couple of weeks ago - the signatures may be being
created, but the signatures are not publicly available. The current key
is on the keyserver:
http://pgp.mit.edu/pks/lookup?op=vindex&search=0xC697D823EB0AB654 - but
it's signed by one person whose name I'm unfamiliar with and as Cpp
mentioned is only 1024bit DSA. As I mentioned at the time, having an
untrusted package is no good for a secure-chat app, much less one that
also installs a repository on your system.

I agree with Cpp - I'd like to see a signature provided for every single
binary (debian, mac, windows, android, amiga, atari, commodore64,
whatever...) from a 4096bit RSA public key signed by the whole core
development team. Unfortunately only you guys can implement this, or I'd
offer to do the work!

Once you've got the new key created signed and in use, please provide
both a copy of the key and a link to the keyserver copy on the jitsi.org
download page somewhere! :wink:

Regards,
Gray.

···

On 06/02/14 13:28, Damian Minkov wrote:

Hi,

I'm sure we are signing both repositories the same way, even the
packages that go into stable has been in nightly before that, they are
not separatly build. We will soon change the key in order to provide
one that is on a public keyserver and is trusted.

Regards
damencho

On Thu, Feb 6, 2014 at 2:34 PM, Cpp <tzornik@gmail.com> wrote:

Hello.

I'd like to request that you improve the Jitsi package security a bit.
For example the stable debian build line does not seem to offer any
package PGP signatures https://download.jitsi.org/jitsi/debian/
But the nightly line does: https://download.jitsi.org/jitsi/nightly/debian/
It appears to be using a 1024 DSA key EB0AB654 to sign the downloads.
Could you please upgrade this to a 4096 version, and have some trusted
signatures added to the public key? I'd sleep much better knowing it
has not been intercepted and replaced by the NSA. Call me paranoid.

Thanks.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users