Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ubuntu/debian install: Key used for signing package not available in ossec.net/download-ossec #2137

Open
johays opened this issue Nov 29, 2024 · 1 comment

Comments

@johays
Copy link

johays commented Nov 29, 2024

Trying to install OSSEC on a fresh Debian 12 system.
I would like to verify the package before running the installer on my system.

While there is a GPG-signature provided for the .tar.gz file found on https://www.ossec.net/download-ossec/ , there is no apparent pointer where/how to get the corresponding public key used in the signature (https://github.com/ossec/ossec-hids/releases/download/3.7.0/ossec-hids-3.7.0.tar.gz.asc)

A simple gpg --recv-key for the key-ID gives an "contains no user ID" error (see below).

Any ideas where I might find the corresponding key?

Suggestion: to include the public key used for signing next to the signature-file in https://www.ossec.net/download-ossec/ or supply a CLI one-liner how to import it in a somewhat trustworthy manner.

For inspiration: here is how Linux Mint and The Tor Project guides their users to import GPG-keys and verify signatures.

user@host:~/Downloads$ gpg --verify ossec-hids-3.7.0.tar.gz.asc 
gpg: assuming signed data in 'ossec-hids-3.7.0.tar.gz'
gpg: Signature made Mon 17 Jan 2022 05:09:10 PM CET
gpg:                using RSA key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: Can't check signature: No public key

user@host:~/Downloads$ gpg --recv-key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: key EE1B0E6B2D8387B7: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
@johays
Copy link
Author

johays commented Nov 29, 2024

related to #1046
The post suggest that the key is located here: https://www.ossec.net/files/OSSEC-ARCHIVE-KEY.asc
This proves true and works, I now get a valid signature.

HOWEVER I think this should be public information available at https://www.ossec.net/download-ossec/ , not forcing users to dig through old issues on github to be able to verify a signature.


gpg: key EE1B0E6B2D8387B7: public key "Scott R. Shinn <scott@atomicorp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

user@host:~/Downloads$ gpg --verify ossec-hids-3.7.0.tar.gz.asc 
gpg: assuming signed data in 'ossec-hids-3.7.0.tar.gz'
gpg: Signature made Mon 17 Jan 2022 05:09:10 PM CET
gpg:                using RSA key B50FB1947A0AE31145D05FADEE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <scott@atomicorp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0  5FAD EE1B 0E6B 2D83 87B7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant