What is “canary”
To confirm that DeepTech group is not compromised by any attacker and that administrators are not under arrest we publish so-called canaries. This is a message containing
- The statement about situation
- Clear indication of date when this message was created as well as confirmation that it was not created beforehand. For example, includes recent news
- Digital signature made by group administrator’s private key
How to verify a canary
gpg --import key.asc
or receive it from key server
gpg --recv-keys 0x8B2EAB50FFCF63CD
It has subkeys, one of them,
0x359C97B6B05E5A41, is used for signing the canaries:
$ gpg -k firstname.lastname@example.org pub rsa4096/0x8B2EAB50FFCF63CD 2018-06-05 [SC] [expires: 2019-06-05] uid Deep Tech Group <email@example.com> uid Deep Tech Group <firstname.lastname@example.org> sub rsa4096/0x5A5F4E77BAC8D911 2018-06-05 [E] [expires: 2019-06-05] sub rsa4096/0x359C97B6B05E5A41 2018-06-05 [S] [expires: 2019-06-05]
Copy the canary’s text (including the signature part) into a file, e.g. canary1.txt, then run
gpg --verify canary1.txt
If the signature is correct you should see something like
gpg: Signature made Wed 06 Jun 2018 00:00:02 AM GMT gpg: using RSA key 0x359C97B6B05E5A41 gpg: Good signature from "Deep Tech Group <email@example.com>" gpg: aka "Deep Tech Group <firstname.lastname@example.org>"
Limitations of our canaries
As all DeepTech administrators work using pseudonyms we cannot use normal PGP’s web of trust to confirm our identities. So an attacker who takes control of all our public resources can replace the key to his own and issue fake canaries that will pass the verification steps above.
Recommended defense: save our public key early and use it to verify all subsequent canaries. In future we may use multiple keys and may join web of trust.
Also please remember that canaries can be compromised if attacker gains access to our private key.
Canary #1 from 6 of June, 2018
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Deep Tech Group Canary #1 ] Publishing website of Deep Tech Group. This canary is issued on 6 of June, 2018. Proof of freshness: Linux kernel 4.17 was released on Sun, 3 Jun 2018 14:58:57 -0700 https://lkml.org/lkml/2018/6/3/142 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJbFyQCAAoJEDWcl7awXlpBT/0P+wSf4oLBlmNvulgGz3Dmms6s U65jUvpWtHIr7L93YsOf5y5hnxj3H7+Aj3L0Wr/KiPD+HOlzABha2ynE09agN14F gHpVWrYCOz/cUdWhJZkWE8aq0nFYrojQnqiGeLxvBdgvDCLg03zngLbL/iowqi31 HpCeu9UPbIi/w2RG5i9MlOrbElaSB3tVVwgSDCnYmeNV5W0dw8xAKU/u+OXVgTZi HNn7o7lMHSR2FGu3UJq/JnPy0b1dLp40q4AfMtfbvhulQt8j8EAcjLCe83aOlzlA jcvpVURtpnKPrrmolV9tzaKLe7M0VwiM1eP1oQSwkR3yUy98iA3nI0HRcvH1/Yqv o0MTFJKtM+/WB/gsx0IahDxfUZQrGjlc79F5T4olJishg5I3PC/mxuV7dGw8CfYl z9FbQyxpk8u1cd2muFxjOnvRGccnqMVnMEd0vL5tL5vw25qfL6wRI+XVjq3ELWbj 9RZImjgP1zWn849gfb5RLXlLU1jROqadH9N0S7i6PCVnlsTO0OkB6/a4uYvidJJb M4sXOE6ReKCkvddAVz7gQbQ8AmiIFIwrLt1Qy2T6AkTllJyQEgtqBUxXy2PNDpxz 0e95K6AtC/28SBVJEvJznIKTIQSDLJt1Yd4fGAYpisqkeOCOaZfywWTIWZQ2XC5E dU791hUrzI3H1SR4NQFO =m2NJ -----END PGP SIGNATURE-----
Canary #2 from 8 of January, 2019
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Deep Tech Group Canary #2 ] Publishing git services of Deep Tech Group. This canary is issued on 8 of June, 2018. Proof of freshness: Linux kernel 5.0 was announced on Sun, 6 Jan 2019 18:14:15 -0800 https://lkml.org/lkml/2019/1/6/178 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECSxmi6XNcjtnmvyQNZyXtrBeWkEFAlwz6AAACgkQNZyXtrBe WkHDqQ/9GcHkE7r8QY1dXkBJ+Mmam7xMqqOJ4E+fmLj9hbSIW3w22meVcW3gX/G5 tXec1fAZ2/jw5Yt2kAXoBe8Km4FUBEjbm071oHFyXSBqPB8mnSSl7yRwj0DKCyCt cfwUBN4V5DJcrbftm5i2mWERT0HKYPFAj0dks5zkuSP6OC9kdONxDPN/oiby60Qe siCAxc9zztq6Kd7ONnKh+LyVaRwaw4/haCSNSmCcgVmIowGxXuyzMjPu0Bsj1aDE 4gj0AxpUuZV+B3WCNMpEhcVQsGC/JoD8BzYrknDdOhWTCCU0tObUW99MlXDn4WgT +Ii6V1A4Jc6osuiNKnNJEf5o5JmFB3Yfv2DsV0fO7x9uggA1zzjI5AqNKp+RCfFZ LNV7xPa8LRKyO1DK2+hMexXE+QmJTd3R+t7J/W5XSM8QTiaEqBY6T6kIakqHFVzm N4tQRXOqtjiSP/7jJJvANTNLbl0YxZiFNLIGotNzZRvUIyMdkSKvc67tIf74/gkm DKy3FAITJHpGuhSZPXUWPIK62HpgCg8VduaKJVrG2aU2C7/gq+jHlGdv7k30gDeo 2YaKoUHGUUbp2FSwUGl0AZJd6HOhhek9PjkmWReCXNMjXpQNGyIiImb6o7Qq0eOS kpBn5gBp2tVIGTu4R2nOGbGyz8dyH58ULZxIepIfh806fu5KIiU= =n1gd -----END PGP SIGNATURE-----