Tom Lisjac
2023-Jan-31 05:12 UTC
[syslinux] public key for verification of Syslinux distribution
Hi Kamen, In addition to the signing key, there are a few other issues: 1. The signed 6.0.3 sources from kernel.org<http://kernel.org/> or any other sites/repos directly related to the syslinux project will not cleanly compile 2. As such, Linux distros have had to combine some version of the broken sources with their signed patches to create binary packages 3. Some distros patch the signed 6.0.3 official release or unofficial 6.0.4 pre's. A signed 6.0.4-pre1 tarball<https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/Testing/6.04/> does exist, but also doesn't compile So to achieve some level of build traceability with the boot process, you have to pick a distro, grab their source package and trust the upstream tarball they've acquired and patched. While it's better then nothing, a patched and signed tarball from the project site would make a trusted version easier for everyone to build. With that said, syslinux is still the simplest, most reliable and space efficient method of booting hybrid iso's. If you find a way to successfully compile a signed 6.0.x release (even with the expired key) that doesn't rely on distro repackaging, please share how you've done it. Thanks, -Tom On Thu, 26 Jan, 2023 at 7:05 PM, Kamen Lozev via Syslinux <syslinux at syslinux.org> wrote: To: gregory lee bartholomew; syslinux at syslinux.org Hi Gregory, Thank you very much for your help! I tried to import the key from the OpenPGP server that you suggested and got: gpg: key 88AE647D58F7ABFE: no user ID I read that the OpenPGP server has an owner approval system and by default removes all IDs. I had checked the Ubuntu OpenPGP keyserver, keyserver.ubuntu.com<http://keyserver.ubuntu.com>, and, after your response, several other key servers, though I did not find the key anywhere else. On Thu, Jan 26, 2023 at 5:15 PM Gregory Lee Bartholomew < gregory.lee.bartholomew at gmail.com<mailto:gregory.lee.bartholomew at gmail.com>> wrote:> It looks like the key can be retrieved from > https://keys.openpgp.org/search?q=88AE647D58F7ABFE > > But it looks like it is expired: > https://www.syslinux.org/archives/2017-January/025519.html > > On Thu, 2023-01-26 at 13:01 -0600, Kamen Lozev via Syslinux wrote: > > Dear SYSLINUX Team, > > > > Thank you so much for a great system. I really appreciate it. > > I downloaded the latest Syslinux distribution, available on > www.kernel.org, > > to a Microsoft Windows machine, and attempted to verify the distribution: > > gpg --verify .\syslinux-6.03.zip.sign.txt .\syslinux-6.03.zip > > gpg: Signature made 10/6/2014 11:32:37 AM Central Daylight Time > > gpg: using RSA key 88AE647D58F7ABFE > > gpg: Can't check signature: No public key > > > > I do not see the public key on the Syslinux web site, the Linux kernel's > > PGP Git, or in Google search results. Sorry, if I missed it. Could you > > please suggest a good way to retrieve the above public key? Is there an > > interface for searching the archives of this mailing list? > > >-- Best regards, Kamen Lozev Manager Quality IT Support LLC _______________________________________________ Syslinux mailing list Submissions to Syslinux at syslinux.org<mailto:Syslinux at syslinux.org> Unsubscribe or set options at: https://lists.syslinux.org/syslinux .
Kamen Lozev
2023-Jan-31 17:05 UTC
[syslinux] public key for verification of Syslinux distribution
Hi Tom, Thank you very much for your help. I really appreciate it. I did a quick compile test with Mingw on Microsoft Windows with the source code from the signed 6.0.3 archive, as well as the commits corresponding to 6.0.3, and master, directly from the Syslinux project's Git repository, http://repo.or.cz/syslinux.git , which is suggested and linked to on the project's Development wiki page. I verified what you wrote in 1. and 3. I'll be glad to test further in a Linux environment, with the goal of finding a way to compile the sources, and produce a pull request, which others can review. In the meantime, your suggestion on build traceability is a great idea, and a practical way for me to get started. Thank you, Kamen On Mon, Jan 30, 2023 at 11:12 PM Tom Lisjac <netdxr at centurylink.net> wrote:> Hi Kamen, > > > In addition to the signing key, there are a few other issues: > > > 1. The signed 6.0.3 sources from kernel.org or any other sites/repos > directly related to the syslinux project will not cleanly compile > 2. As such, Linux distros have had to combine some version of the > broken sources with their signed patches to create binary packages > 3. Some distros patch the signed 6.0.3 official release or unofficial > 6.0.4 pre's. A signed 6.0.4-pre1 tarball > <https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/Testing/6.04/> does > exist, but also doesn't compile > > So to achieve some level of build traceability with the boot process, you > have to pick a distro, grab their source package and trust the upstream > tarball they've acquired and patched. While it's better then nothing, a > patched and signed tarball from the project site would make a trusted > version easier for everyone to build. > > With that said, syslinux is still the simplest, most reliable and space > efficient method of booting hybrid iso's. If you find a way to successfully > compile a signed 6.0.x release (even with the expired key) that doesn't > rely on distro repackaging, please share how you've done it. > > Thanks, > > -Tom > > On Thu, 26 Jan, 2023 at 7:05 PM, Kamen Lozev via Syslinux < > syslinux at syslinux.org> wrote: > > To: gregory lee bartholomew; syslinux at syslinux.org > Hi Gregory, > > Thank you very much for your help! > > I tried to import the key from the OpenPGP server that you suggested and > got: > gpg: key 88AE647D58F7ABFE: no user ID > > I read that the OpenPGP server has an owner approval system and by default > removes all IDs. > I had checked the Ubuntu OpenPGP keyserver, keyserver.ubuntu.com, and, > after your response, > several other key servers, though I did not find the key anywhere else. > > > On Thu, Jan 26, 2023 at 5:15 PM Gregory Lee Bartholomew < > gregory.lee.bartholomew at gmail.com> wrote: > > > It looks like the key can be retrieved from > > https://keys.openpgp.org/search?q=88AE647D58F7ABFE > > > > But it looks like it is expired: > > https://www.syslinux.org/archives/2017-January/025519.html > > > > On Thu, 2023-01-26 at 13:01 -0600, Kamen Lozev via Syslinux wrote: > > > Dear SYSLINUX Team, > > > > > > Thank you so much for a great system. I really appreciate it. > > > I downloaded the latest Syslinux distribution, available on > > www.kernel.org, > > > to a Microsoft Windows machine, and attempted to verify the > distribution: > > > gpg --verify .\syslinux-6.03.zip.sign.txt .\syslinux-6.03.zip > > > gpg: Signature made 10/6/2014 11:32:37 AM Central Daylight Time > > > gpg: using RSA key 88AE647D58F7ABFE > > > gpg: Can't check signature: No public key > > > > > > I do not see the public key on the Syslinux web site, the Linux > kernel's > > > PGP Git, or in Google search results. Sorry, if I missed it. Could you > > > please suggest a good way to retrieve the above public key? Is there an > > > interface for searching the archives of this mailing list? > > > > > > > > -- > Best regards, > Kamen Lozev > Manager > Quality IT Support LLC > _______________________________________________ > Syslinux mailing list > Submissions to Syslinux at syslinux.org > Unsubscribe or set options at: > https://lists.syslinux.org/syslinux > . >-- Best regards, Kamen Lozev Manager Quality IT Support LLC