This repository has been archived by the owner on Dec 10, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathsecurity.html
212 lines (188 loc) · 10.8 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<!DOCTYPE html>
<html lang="en">
<head>
<title>Syncthing Security</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<link rel="shortcut icon" href="images/favicon.png" type="image/png">
<link rel="apple-touch-icon-precomposed" sizes="57x57" href="images/favicons/apple-touch-icon-57x57.png" />
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="images/favicons/apple-touch-icon-72x72.png" />
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="images/favicons/apple-touch-icon-114x114.png" />
<link rel="apple-touch-icon-precomposed" sizes="120x120" href="images/favicons/apple-touch-icon-120x120.png" />
<link rel="apple-touch-icon-precomposed" sizes="144x144" href="images/favicons/apple-touch-icon-144x144.png" />
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="images/favicons/apple-touch-icon-152x152.png" />
<link rel="icon" type="image/png" href="images/favicons/favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="images/favicons/favicon-16x16.png" sizes="16x16" />
<meta name="application-name" content="Syncthing" />
<meta name="msapplication-TileColor" content="#FFFFFF" />
<meta name="msapplication-TileImage" content="images/favicons/mstile-144x144.png" />
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.3.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/github-fork-ribbon-css/0.1.1/gh-fork-ribbon.min.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="css/raleway.css">
<link rel="stylesheet" type="text/css" href="css/styles.css">
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-1060342-17', 'auto');
ga('send', 'pageview');
</script>
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<h1>
<img class="security-logo" alt="Syncthing Security" title="Syncthing Security" src="images/logo-sec-128.crushed.png">
</h1>
<h2>Release Signatures</h2>
<p>The PGP key for release@syncthing.net (<code>D26E6ED000654A3E</code>) can be used
to verify the signatures of official binary releases newer than v0.10.14. See <a href="#verify-older-release">note below</a> for older releases.</p>
<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFShFd8BCADHQq9byO6uehb51iieKKi2KEwudhkbV74r8ZsGp0Q3asmv6cPl
EFLKXCs9vm9f0Qn58up44ikd/782Gu7CQoFBM/DGj1SGXpWRj7fd6nnErA5JUiUz
hpYN/Py0XWSApZE0xXUhBnd1UM1ymnWjGxu6HYb2ZIayr3jisZmUOVIwHJToqjIK
grjt9afTlvDOfBN5GBeLYetByvza3JGt9kwn9z1ryhssyVHur+uXvJq7CuXJzImU
E4QW9fwjeOHFFBQevYMVHhnlVgXGQ/fNmYW+MeXG4GE8viyRuv0asRwMjp+1zpP1
EvAM/Z8Y9Udv1DvSTjonET3G9fOyNfU3HNcvABEBAAG0NFN5bmN0aGluZyBSZWxl
YXNlIE1hbmFnZW1lbnQgPHJlbGVhc2VAc3luY3RoaW5nLm5ldD6JATgEEwECACIF
AlShFd8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENJubtAAZUo+XrsI
AKk9Usgg6R/6/tfohdTjV9gpeMn+BpvP5boTAEWdTDF0azg06aAt0engrVkbwG70
Nf9KKbDcSDZUJs1kZVq1TJvo3JnR+Dw0a9AcEvY+zDRcGuHmIjdei5QtaMsVB+8b
zR0muX1YRw0MhncHg4bvEzWdrWRHZr71trVKTm2v/xW2Bd1KJmzUv/D2DjML3NL7
SkbZMHmqTWE9jNoSajlxdIsZRM0QbzREEkC95/INaZvK1n8jY1fobY5qAx2knzp6
SLx8TamN8RcACAhkV43NnFCdb3hhE6W22xK7BFwDSvoUvm+xi9NJWLg6UWPVSAPt
6Eb/RdtUlXx05awR6HzN/dSJAhwEEAECAAYFAlShFe0ACgkQSfWuwLzlJMdzHw/9
EIDBnOTJdCzQ7GTUZjUQbdw2l3amgIvJiIFVwj3vzNIVLAOcCAej3jBiZpUw9B/2
Omz3Y3qMeb4U0QP5EpBPCNmkViZ/Hvg9R5axWobnvsXTyxTMBJqL7IJ4W4PrKoeI
W3ijNtj5b5k4+DpMKtmZ7I1u2x5CSek6vzDxRxaqpLIJFpdUGRBKfeVxmb2QQbIq
QmDBZGEaK5ICfFegNGYZdyVqg7F/tr3mMOOWnuO1aFhqHQOjtZmG4TfpjrdrLZ2M
4qbRf0MD6dkOnthGvZXtY6Bx7grXqmtkT598+YRm3YK49KvCiAOpi9nCxPl3JJ0V
z9MaWx2Y8ODzN/sOYos6PxnPdlP3xVSCOyxdegjqbo9IQweg3EcuVzkyhFWdIOix
A5qh28E1Wun+wI1R0E9vfSFXXvVJeSQ/Whk+fGDKEkJxip/IoCo141DNKj/wJ3xS
s03vTqtTwN/uPdIsCbWRSqG6mL1AOgi66NfFiT6Wu5ru/F+6p0XPJD5AL3mF4hyF
hAtA/oKAYGs6FWHo+6bm5BBuklSQMJbCt8/T4LE/QWFKtJLMenOICArwBwqSo8WX
NjyLjnRdQpMTUuKG36JSyMWdLmMq4FBSICjkOKOR/4RCmIR+hL4m4lfjc/FEyMe0
jKAx8Nu4wzpoqUHygsljwEjmfzDdJ7S2MRG00EHzu7e5AQ0EVKEV3wEIALMoAN+6
C5hgi70ICFl60YnHx/C8CkeW7+KVoog/iXLLTX8o6JYODLBn0kW8OxrRLCbNKNev
lJYR1czjcpmdO+k8vyXOt0qj95kak+nrjzlxJ/YJh2f5JAgqkkkwZBc4qrzcc8Ek
Y/rH9Z/JovOi55g0f8X2uQLRqQPq5a41Jgo94H3KjM42dhkNwSKBucesTLn3BOdQ
gERjzqy4NCF06R3GaGM9Nt2fQ3uwmAsyxBU9YtHsyxK0zLSKQD79oe3e8S4DVZ7x
3KhxdP7uEypNpsR86IS9v4Y3UGhLbbmL2VQSOkr5bK6to/PHzfMo+WrLToR57Tl7
w4ZtV0a+uJAyhAUAEQEAAYkBHwQYAQIACQUCVKEV3wIbDAAKCRDSbm7QAGVKPlSH
CAC/oflzvJvTKY5JlYAI694Fqtzqg4Z36ymUq43G2jqI+/HYcRM+Lnj52+rwpY6C
QU4shli/cwVJRLzkC+8pB6dzIqX1eKqD2RYmEDLeixibY9TwnPOKtMytW6dTRIxa
7+H6tO+n+9tT5JWIqKoP4kWFUBHKT7RBI3ubFxwaGwV1IGpItvukOa4XbDAWR3Ya
TL+fbNhHegwae/3xX+T4+Ik40UnFtrJiHkbu3RmEzO38n5xJY+hG/lHQrsErQAUa
kEEm5vqw/veVl3L88VnOWHhD3GxvPvtuN/RTxmwhlQ9rte/G6U/R0HDYFqrHDAns
LlHRAP8U8Ozk3ll45SR12Zf2
=rVev
-----END PGP PUBLIC KEY BLOCK-----
</pre>
<h2>Verifying a Release Signature</h2>
<p>You can browse <a href="https://github.com/syncthing/syncthing/releases/">all releases on GitHub</a>.
<p>Download the release (<i>tar.gz</i> file) and the checksum <i>sha1sum.txt.asc</i> file.<br>
Example verifying release <i>v0.14.11</i>:
<pre>
$ <b>curl -sLO https://github.com/syncthing/syncthing/releases/download/v0.14.11/syncthing-linux-amd64-v0.14.11.tar.gz</b>
$ <b>curl -sLO https://github.com/syncthing/syncthing/releases/download/v0.14.11/sha1sum.txt.asc</b>
</pre>
<h4>Verify that the SHA1 checksum is correct for the release.</h4>
Errors will be printed for the release files you did not download - these can be ignored. The
important line is shown below in bold indicating the checksum is "OK" for the downloaded release file.
<pre>
$ <b>sha1sum -c sha1sum.txt.asc</b>
...
sha1sum: syncthing-linux-386-v0.14.11.tar.gz: No such file or directory
syncthing-linux-386-v0.14.11.tar.gz: FAILED open or read
<b>syncthing-linux-amd64-v0.14.11.tar.gz: OK</b>
sha1sum: syncthing-linux-armv5-v0.14.11.tar.gz: No such file or directory
syncthing-linux-armv5-v0.14.11.tar.gz: FAILED open or read
...
sha1sum: WARNING: 20 lines are improperly formatted
sha1sum: WARNING: 12 listed files could not be read
</pre>
<p>Import the old and new release keys (only necessary if you haven't done this previously).
<pre>
$ <b>gpg --keyserver pool.sks-keyservers.net --recv-key 49F5AEC0BCE524C7 D26E6ED000654A3E</b>
gpg: requesting key BCE524C7 from hkp server pool.sks-keyservers.net
gpg: requesting key 00654A3E from hkp server pool.sks-keyservers.net
gpg: key BCE524C7: public key "Jakob Borg (calmh) <jakob@nym.se>" imported
gpg: key 00654A3E: public key "Syncthing Release Management <release@syncthing.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
</pre>
<p>Verify the signature on the checksum file. Again, the bolded line is the important one.
<pre>
$ <b>gpg --verify sha1sum.txt.asc</b>
gpg: Signature made Tue Nov 15 07:44:49 2016 CET
gpg: using RSA key D26E6ED000654A3E
gpg: <b>Good signature from "Syncthing Release Management <release@syncthing.net>"</b>
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
</pre>
<h2 id="verify-older-release">Verifying an older release</h2>
<p>For versions v0.10.14 and earlier, the key for jakob@nym.se (<a href="https://nym.se/gpg.txt">https://nym.se/gpg.txt</a>,
<code>49F5AEC0BCE524C7</code>) was used. The new release key (<code>D26E6ED000654A3E</code> release@syncthing.net)
is signed by the old key (jakob@nym.se) for continuity.
<h2>Contacting the Syncthing Team Securely</h2>
<p>If you believe that you've found a Syncthing-related security
vulnerability, please report it by emailing
<a href="mailto:security@syncthing.net">security@syncthing.net</a>. The PGP
key for security@syncthing.net (<code>B683AD7B76CAB013</code>) below can be
used to send encrypted mail or to verify responses received from that
address.
<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFShFlIBCACsW346HYskhKhxrdZMjyU5Ntsjvg6/ogqINDPoL10/oaIP0G+t
7zzC0K5Cq29ix43kNNLKTJNyPkdTeaJEcqslMUt6tovjHwoKJ073GP0W3KsNvBRg
ffCZOAexGfOsBSL9KHaYGK67Py3TFgtN1H/EmboU1arrLfAMrmqOip++EGqOxjse
gH0qk7Mk1TqEC5Xh3NGE7r1UobAlqdUv5E3v7U11NhAdP1zu/XZ/zvP5mwVQJMLv
iZyeWGliNI8nEeRjYw+S85f4gq7H2mgoeNBN4WwwK1hhz9qpvCsgPW3XqlExTPI4
1vM4PxpiFIuF0zuy2OwsmjrpTCZeBscr4Tj5ABEBAAG0K1N5bmN0aGluZyBTZWN1
cml0eSA8c2VjdXJpdHlAc3luY3RoaW5nLm5ldD6JATgEEwECACIFAlShFlICGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELaDrXt2yrATB1UH/jnnIa6DekCA
2V36N/2+pFSNLVWeoZQxZ9ne9S7WSubaoK4oCWiuChPSAy5hagnKnNA3a9wrz5iN
0hgCA88NnTU18biZW6HX8xWEd3dnY3fX1sG0XdHuKlFria8ByfcrbShf/CttXkEd
Y5qPHH9aLIMtksBS1MIsRYrOCHiLNYFCKlbjDDCGT3tuk/yaU7aBAFVPIag54afC
zZAIvTIgRruLWkNT/sSEJx9ekhJzO/+pXNbSSHwhoj5OJh7sQjZWwPzNazelk48R
+ku8VpB5Wxgk2MnJPf1RxF+7saBAaeAVZsJcPN+Jp7u9LCFelIRn1ISsHbhLhyqL
cPXqllltLCKJAhwEEAECAAYFAlShFlsACgkQSfWuwLzlJMcEpA//VvZYHGZgZMM0
bBkYnjManYnJkHSQ2pHsjquSFH+fbfq2FxxTk/nQ/IAvBzt8NDTT3ylPOmsl4A8q
r8BxsRNENhU7zDQrKC5NtYUrzXhPGo8qfDwkeLyqd2msUvHn7EH3PNgiN2QaFWxE
21FqoXIpERKJRgRtv1SYZoMyNGjmT2hta1ZbwEfrPJnzjYhneoUGsRApG7p+uPqe
4LRpbG3Fa2vBm/UWUrOe+6jPzvMokjIJbdK0IjXamFAzwYW5fSZaFa94mR6L5f5m
X8Dhp66mBRTx7qk6ldEqptvaYGqihaWP1xbDaApQsGHQujtcBYGp+edlkabuW5h7
stl/7QTFkEPqHT4ybxEX0rLoFUGq56WUlKp27z40keStaXMgfrsxJtkz66Xs8vU4
7qZcLAcPsin+y0toqavtwtM/L7uCMu1yhbFRGJ+JL6saJAqzwS8l7r6E2R7OnVj1
BdASgxx1TgzW6ZFW5p1Iy6mtpkBypsnp8s3UcP3GFRnQe9gi1EXHjzuZAUGafe4Q
juvJ8t8xIcQMFuAylNIVyXvIWJoehqsVY9EBgVtE4y1SRh8XTT3Tddn8ab5fl7uh
HWAY8cRlv6WIOhK8w8oroiYx0SID8jMeEwJBS4DL7qWtJMkDo8ZEJiB+Pkd963MX
05QXt33AvJJ9PmbGCHkcH7198tCmA+e5AQ0EVKEWUgEIAPGczHpa6NdxY0pm+tIp
btiA6gdPE70pJYgJTKX7siCQ2w770H3CBSKmqEXadr7WnfIgUYIDaSxadeGzB/Mn
3SHCYRCqbA7mwu2k4wNNvCEM0xZqFAvaDJ4avlZ5oiMT8IFHKsjC77nkhmfXaIGt
hn10H2MFADjvJYul7vR+Ghg1wGhTGWo2u7VVj9BI+AfvnWaouFI0cx2KNWEI/Ocj
z6jk8nmC3yOEFQECM/hF4lkAOv9CQUa8UcvAr31trzawmV1iSsKjmVZgqd0N4T8f
hUikqUPZGNCRcqEUffTzggIyGPbedFnZw9Di7o1xByxyTrZycemAVqaVGF+9nFLG
pccAEQEAAYkBHwQYAQIACQUCVKEWUgIbDAAKCRC2g617dsqwEzrjB/9q0T8A4XUE
p0g6xq86jhmh4jlEedxrfXUL3R6ejFtuKMThulxEP0xiQ7xLzBhOnvyxLCsVbjp8
0JtJTVCq44UzUiIBuVNRoYG29uXuTUL2UtI27VhjFxMzLDwZL97tbGR6lzdM/+U5
9PC+PIvS0yz13z2t3/x3KUOnBgxZnpy9h4AdKwjrNVtnQdGDXSKlJBLb57TFcS94
f3roZ5Gpw3AWYSmSSiZWbhks2UNzYSQ84LAKlV1NkktO+qRc/pUqr6IxMjOKc7XP
e8u1Nst6fN3GNqZOV+jUYs/fqrJgp1TUWjNTuf22Rl0Idz7XLPJKYFh9W7T/4MbU
M7Q8GZuww1rk
=No/v
-----END PGP PUBLIC KEY BLOCK-----
</pre>
</div>
</div>
</div>
</body>
</html>