[CentOS] Security: should I be concerned?

William L. Maltby BillsCentOS at triad.rr.com
Tue Oct 18 13:50:03 UTC 2005


On Wed, 2005-10-12 at 10:18 -0600, Nels Lindquist wrote: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12 Oct 2005 at 9:20, William L. Maltby wrote:
> 
> <snip>
> 
> > My second concern is with security update announcements. For all the
> > announcers but one (IIRC) I get "Invalid signature" displayed (using
> > Evolution). I would ask "Should I be concerned?", but the answer is
> > self-evident in security circles. So instead, I'll ask if this is
> > acceptable in the official CentOS and I can continue to rely on their
> > stuff in their opinion.
> 
> Do you have any more detail as to why the invalid signatures?  Does 
> it give you a different message if you haven't imported someone's 
> public key?  You might want to check out your GPG integration setup 
> with Evolution.  I'm using Thunderbird/Enigmail to read list mail, 
> and all of the CentOS announcement messages have verifiable 
> signatures.  I assume you have no trouble with PGP/MIME since that 
> appears to be what you're using...

Thanks for the response. I'm really relatively new to all this security
stuff *and* GUI/Gnome/KDE/... and have a background rooted in deep dark
CLI past. No serious administration/security background either.

I installed CentOS, tried out a few utilities, saw all this GUI stuff,
saw Evolution and decided to try it. As part of this, I set up my gpg
key stuff, test sent a mail to me and saw "valid signature". I thought
"Cool, made this as easy as Windows" (I don't like Windows much, but I
have to use it sometimes). Based on your reply, it sounds like there is
more I need to learn and setup.

Because I seemed to recall *some* of the sigs came across OK, my first
assessment was that I should ask. I figured that those that shown as
invalid signatures might be because the senders were not on their normal
machines or other factors beyond my knowledge might be in play. So I
opted to ask first.

Responding to what you posted, I started looking for one that came
across OK, but don't have one saved. Further, the ones I do have saved
all have invalid sig notifications. Ones I posted to the list have valid
sig notifications and came back OK.

Taking your mention of "... importing someone's public key..." and the
rest, I started doing some reading, realizing at that moment that this
was not as automatic as Windows. Checking the config file, it looks like
I have the servers correctly identified (which in my ignorance was all I
thought was needed, thinking a key would be automatically fetched like
in Windows). I have imported the public keys and it eliminated those
messages.

Thanks for taking the time to get me started down the right road on
this. Reading in progress on many new subjects....

> 
> - ----
> Nels Lindquist <*>
> Information Systems Manager
> Morningstar Air Express Inc.
> <snip rest of sig>

Related in a thread started by Rich Huff <rich at richhuff.com> "CentOS security signatures in Evolution"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.centos.org/pipermail/centos/attachments/20051018/b07a22c3/attachment.bin


More information about the CentOS mailing list