activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino (JIRA)" <>
Subject [jira] [Resolved] (APLO-372) Useless gpg signature
Date Wed, 07 Jan 2015 17:20:36 GMT


Hiram Chirino resolved APLO-372.
    Resolution: Won't Fix
      Assignee: Hiram Chirino

The trusted GPG sigs are listed at:

If want to double check to see who's keys are trusted to sign the release, check out the KEYS
file in the project's SCM repository:;a=tree

> Useless gpg signature
> ---------------------
>                 Key: APLO-372
>                 URL:
>             Project: ActiveMQ Apollo
>          Issue Type: Bug
>          Components: apollo-distro
>    Affects Versions: 1.7
>            Reporter: Hadmut Danisch
>            Assignee: Hiram Chirino
> Hi, 
> when downloading apollo from the download network, the connection is not trusted and
can easily spoofed. Therefore, apollo comes with a pgp signature. 
> However, this signature is completely useless for two reasons:
> 1) The key is named 
> Hiram Chirino <>
> who is that? Is he a developer or simply a random name chosen by the attacker? How should
one know whether he is authorized to release code?
> 2) The key is not signed by anyone else and there is no fingerprint on any webpage, absolutely
no way to verify authenticity. 
> So whoever is able to replace the software release with a modified version, could as
well replace the signature file with one signed by the attacker himself, after generating
a random key with a random name, either Hiram Chirino, Donald Duck, or Batman. 
> So providing the gpg signature is absolutely pointless and does not raise security at
all. But it raises the question whether the security of apollo itself could be any better
> regards

This message was sent by Atlassian JIRA

View raw message