[syslinux] public key for verification of Syslinux distribution

[Tom Lisjac]

Hi Kamen,


In addition to the signing key, there are a few other issues:

1.	The signed 6.0.3 sources from kernel.org<http://kernel.org/> or any other sites/repos directly related to the syslinux project will not cleanly compile
2.	As such, Linux distros have had to combine some version of the broken sources with their signed patches to create binary packages
3.	Some distros patch the signed 6.0.3 official release or unofficial 6.0.4 pre's. A signed 6.0.4-pre1 tarball<https://mirrors.edge.kernel.org/pub/linux/utils/boot/syslinux/Testing/6.04/> does exist, but also doesn't compile

So to achieve some level of build traceability with the boot process, you have to pick a distro, grab their source package and trust the upstream tarball they've acquired and patched. While it's better then nothing, a patched and signed tarball from the project site would make a trusted version easier for everyone to build.



With that said, syslinux is still the simplest, most reliable and space efficient method of booting hybrid iso's. If you find a way to successfully compile a signed 6.0.x release (even with the expired key) that doesn't rely on distro repackaging, please share how you've done it.


Thanks,


-Tom

On Thu, 26 Jan, 2023 at 7:05 PM, Kamen Lozev via Syslinux <syslinux at syslinux.org> wrote:
 

To: gregory lee bartholomew; syslinux at syslinux.org

Hi Gregory,

Thank you very much for your help!

I tried to import the key from the OpenPGP server that you suggested and
got:
gpg: key 88AE647D58F7ABFE: no user ID

I read that the OpenPGP server has an owner approval system and by default
removes all IDs.
I had checked the Ubuntu OpenPGP keyserver, keyserver.ubuntu.com<http://keyserver.ubuntu.com>, and,
after your response,
several other key servers, though I did not find the key anywhere else.


On Thu, Jan 26, 2023 at 5:15 PM Gregory Lee Bartholomew <
gregory.lee.bartholomew at gmail.com<mailto:gregory.lee.bartholomew at gmail.com>> wrote:

> It looks like the key can be retrieved from
> https://keys.openpgp.org/search?q=88AE647D58F7ABFE
>
> But it looks like it is expired:
> https://www.syslinux.org/archives/2017-January/025519.html
>
> On Thu, 2023-01-26 at 13:01 -0600, Kamen Lozev via Syslinux wrote:
> > Dear SYSLINUX Team,
> >
> > Thank you so much for a great system. I really appreciate it.
> > I downloaded the latest Syslinux distribution, available on
> www.kernel.org,
> > to a Microsoft Windows machine, and attempted to verify the distribution:
> > gpg --verify .\syslinux-6.03.zip.sign.txt .\syslinux-6.03.zip
> > gpg: Signature made 10/6/2014 11:32:37 AM Central Daylight Time
> > gpg:                using RSA key 88AE647D58F7ABFE
> > gpg: Can't check signature: No public key
> >
> > I do not see the public key on the Syslinux web site, the Linux kernel's
> > PGP Git, or in Google search results. Sorry, if I missed it. Could you
> > please suggest a good way to retrieve the above public key? Is there an
> > interface for searching the archives of this mailing list?
> >
>


-- 
Best regards,
Kamen Lozev
Manager
Quality IT Support LLC
_______________________________________________
Syslinux mailing list
Submissions to Syslinux at syslinux.org<mailto:Syslinux at syslinux.org>
Unsubscribe or set options at:
https://lists.syslinux.org/syslinux
.