* cygwin.com sftp key fingerprint?
@ 2015-05-30 22:06 Andrew Schulman
2015-05-31 7:15 ` Achim Gratz
0 siblings, 1 reply; 8+ messages in thread
From: Andrew Schulman @ 2015-05-30 22:06 UTC (permalink / raw)
To: cygwin-apps
I show the SFTP key fingerprint for cygwin.com as
SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM
Can anyone please confirm that?
Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't
find it. If not, would someone mind adding it to the "Uploading Packages to
cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
people can verify it?
Thanks,
Andrew
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-05-30 22:06 cygwin.com sftp key fingerprint? Andrew Schulman
@ 2015-05-31 7:15 ` Achim Gratz
2015-05-31 10:24 ` Corinna Vinschen
0 siblings, 1 reply; 8+ messages in thread
From: Achim Gratz @ 2015-05-31 7:15 UTC (permalink / raw)
To: cygwin-apps
Andrew Schulman writes:
> I show the SFTP key fingerprint for cygwin.com as
>
> SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM
>
> Can anyone please confirm that?
> ssh-keygen -lvf cygwin.com.pub
1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA)
+--[ RSA 1024]----+
| EO&.o.oo o+|
| +o* . .o+|
| . + . . .|
| + o . |
| S o |
| |
| |
| |
| |
+--[MD5]----------+
> awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=
> Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't
> find it. If not, would someone mind adding it to the "Uploading Packages to
> cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> people can verify it?
Good idea.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-05-31 7:15 ` Achim Gratz
@ 2015-05-31 10:24 ` Corinna Vinschen
2015-05-31 21:08 ` Andrew Schulman
0 siblings, 1 reply; 8+ messages in thread
From: Corinna Vinschen @ 2015-05-31 10:24 UTC (permalink / raw)
To: cygwin-apps
[-- Attachment #1: Type: text/plain, Size: 1221 bytes --]
On May 31 09:15, Achim Gratz wrote:
> Andrew Schulman writes:
> > I show the SFTP key fingerprint for cygwin.com as
> >
> > SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM
> >
> > Can anyone please confirm that?
>
> > ssh-keygen -lvf cygwin.com.pub
> 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA)
> +--[ RSA 1024]----+
> | EO&.o.oo o+|
> | +o* . .o+|
> | . + . . .|
> | + o . |
> | S o |
> | |
> | |
> | |
> | |
> +--[MD5]----------+
> > awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
> MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=
>
> > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't
> > find it. If not, would someone mind adding it to the "Uploading Packages to
> > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > people can verify it?
>
> Good idea.
PGA?
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-05-31 10:24 ` Corinna Vinschen
@ 2015-05-31 21:08 ` Andrew Schulman
2015-06-01 8:50 ` Corinna Vinschen
2015-06-01 16:18 ` Achim Gratz
0 siblings, 2 replies; 8+ messages in thread
From: Andrew Schulman @ 2015-05-31 21:08 UTC (permalink / raw)
To: cygwin-apps
[-- Attachment #1: Type: text/plain, Size: 624 bytes --]
> > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't
> > > find it. If not, would someone mind adding it to the "Uploading Packages to
> > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > > people can verify it?
> >
> > Good idea.
>
> PGA?
OK, here you go. The patch is a bit large, because I took the opportunity to
reorganize the text a bit and add a new section showing how to upload packages
the automated way using cygport up. The complete revised page is at
http://home.comcast.net/~andrex2/cygwin/package-upload.html .
Andrew
[-- Attachment #2: package-upload.html.patch --]
[-- Type: application/octet-stream, Size: 5309 bytes --]
diff -urN a/package-upload.html b/package-upload.html
--- a/package-upload.html 2014-09-30 17:24:48.000000000 -0400
+++ b/package-upload.html 2015-05-31 17:04:19.000000000 -0400
@@ -21,7 +21,10 @@
</p>
<h2>Requesting upload privileges</h2>
-Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:<pre><tt> Subject: SSH key for upload access
+
+<p>Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:</p>
+
+<pre><tt> Subject: SSH key for upload access
Name: Your Name
Package: The name of <b>one</b> (and only one) of the packages that you are responsible for
@@ -30,26 +33,56 @@
---- END SSH2 PUBLIC KEY ----
</tt></pre>
-When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br>
+<p>When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br>
Specifying <b>one</b> package provides you with the ability to upload
-any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.
+any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p>
<p>The SSH key above should be generated from one of your public keys, e.g.:<pre><tt> ssh-keygen -e -f ~/.ssh/id_rsa.pub</pre></tt></p>
-The format of this email is not optional. It is read by a program so please
+<p>The format of this email is not optional. It is read by a program so please
do not deviate from the above. In particular, don't indent, don't add multiple
packages, and <b>do</b> use <a href="http://cygwin.com/cygwin-pkg-maint">your name</a> as
-recorded in <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.
+recorded in <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p>
<p><b>Note: Send email in this format if you need to update your ssh key.</b></p>
<p>Requests are handled manually and are acknowledged publicly in
response to email to the <tt>cygwin-apps</tt> mailing list.</p>
-<h2>Uploading Files to cygwin.com</h2>
-Once the ssh key has been installed you'll have limited
+
+<h2>Connecting to cygwin.com</h2>
+
+<p>Once the ssh key has been installed you'll have limited
<a href="http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol#SFTP_client">sftp</a>
-access to cygwin.com where you will be able to upload packages. An
-upload directory on cygwin.com will look like this:
+access to cygwin.com, where you will be able to upload packages. You may connect for example by
+<tt>sftp cygwin@cygwin.com</tt>, or using lftp as in the example below. When connecting,
+make sure that you use the user <tt>cygwin</tt> with no password, and that you are using the
+same ssh key as the one that you specified previously.</p>
+
+<p>The first time you connect, you should verify that the host key fingerprint matches one of
+the following hashes:</p>
+
+<ul>
+<li>SHA256 (OpenSSH 6.8 or later): <tt>SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM</tt>
+<li>MD5 (OpenSSH pre-6.8): <tt>1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23</tt>
+</ul>
+
+<h2>Uploading Files</h2>
+
+There are two ways to upload finished packages to cygwin.com.
+
+<h3>Using cygport</h3>
+
+<p>If you have a <a href="https://cygwin.com/cygport/README">cygport</a> build script for your
+packages, the easiest way to upload your finished packages is just to run:<p>
+
+<pre> cygport pkg.cygport up</pre>
+
+<p>That will upload your finished packages, taking care of all of the details described in the manual method below.</p>
+
+<h3>Manually</h3>
+
+<p>You may also upload files directly, using an sftp client such as sftp or lftp. An upload
+directory on cygwin.com will look like this:</p>
<pre>
Your Name # Directory is currently your full name (you won't actually see this)
@@ -60,11 +93,7 @@
pkg-debuginfo # package subdirectories
</pre>
-<p>When connecting, make sure that you use the user <tt>cygwin</tt> with
-no password and that you are using the same ssh key as the one that you
-specified previously.</p>
-
-<p>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages:
+<h4>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages:</h4>
<pre>
% lftp sftp://cygwin@cygwin.com
@@ -140,7 +169,9 @@
uploaded packages. It doesn't matter where you create this file but
it makes sense to put it at the root of your upload directory.</p>
-<h2>Example <tt>lftp</tt> upload command line</h3> <pre> From: Christopher Faylor
+<h4>Example <tt>lftp</tt> upload command line</h4>
+
+<pre> From: Christopher Faylor
To: cygwin-apps
Subject: Re: The upload system is live (Re: Major changes coming to
procedure for uploading to sourceware)
@@ -155,6 +186,7 @@
cgf
</pre>
+
<h2><a name="deleting">Removing files from the Cygwin distribution</a></h2>
To cause files to be removed from the distribution, upload an empty file with the name of the file that you want deleted, prefixed with a "<tt>-</tt>".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-05-31 21:08 ` Andrew Schulman
@ 2015-06-01 8:50 ` Corinna Vinschen
2015-06-01 16:18 ` Achim Gratz
1 sibling, 0 replies; 8+ messages in thread
From: Corinna Vinschen @ 2015-06-01 8:50 UTC (permalink / raw)
To: cygwin-apps
[-- Attachment #1: Type: text/plain, Size: 871 bytes --]
On May 31 17:08, Andrew Schulman wrote:
> > > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't
> > > > find it. If not, would someone mind adding it to the "Uploading Packages to
> > > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > > > people can verify it?
> > >
> > > Good idea.
> >
> > PGA?
>
> OK, here you go. The patch is a bit large, because I took the opportunity to
> reorganize the text a bit and add a new section showing how to upload packages
> the automated way using cygport up. The complete revised page is at
> http://home.comcast.net/~andrex2/cygwin/package-upload.html .
Applied.
Thanks a lot,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-05-31 21:08 ` Andrew Schulman
2015-06-01 8:50 ` Corinna Vinschen
@ 2015-06-01 16:18 ` Achim Gratz
2015-06-01 16:41 ` Corinna Vinschen
1 sibling, 1 reply; 8+ messages in thread
From: Achim Gratz @ 2015-06-01 16:18 UTC (permalink / raw)
To: cygwin-apps
Andrew Schulman writes:
> OK, here you go. The patch is a bit large, because I took the opportunity to
> reorganize the text a bit and add a new section showing how to upload packages
> the automated way using cygport up. The complete revised page is at
> http://home.comcast.net/~andrex2/cygwin/package-upload.html .
Looks good. However, you still haven't verified the fingerprint(s) with
Sourceware Overseers or did you? That I'm getting the same fingerprint
as you is a good sign, but certainly not a confirmation.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-06-01 16:18 ` Achim Gratz
@ 2015-06-01 16:41 ` Corinna Vinschen
2015-06-01 17:46 ` Achim Gratz
0 siblings, 1 reply; 8+ messages in thread
From: Corinna Vinschen @ 2015-06-01 16:41 UTC (permalink / raw)
To: cygwin-apps
[-- Attachment #1: Type: text/plain, Size: 1167 bytes --]
On Jun 1 18:17, Achim Gratz wrote:
> Andrew Schulman writes:
> > OK, here you go. The patch is a bit large, because I took the opportunity to
> > reorganize the text a bit and add a new section showing how to upload packages
> > the automated way using cygport up. The complete revised page is at
> > http://home.comcast.net/~andrex2/cygwin/package-upload.html .
>
> Looks good. However, you still haven't verified the fingerprint(s) with
> Sourceware Overseers or did you? That I'm getting the same fingerprint
> as you is a good sign, but certainly not a confirmation.
Running your commands on sourceware itself shows the exact same
results when accessing the public host RSA key:
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA)
$ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint?
2015-06-01 16:41 ` Corinna Vinschen
@ 2015-06-01 17:46 ` Achim Gratz
0 siblings, 0 replies; 8+ messages in thread
From: Achim Gratz @ 2015-06-01 17:46 UTC (permalink / raw)
To: cygwin-apps
Corinna Vinschen writes:
> Running your commands on sourceware itself shows the exact same
> results when accessing the public host RSA key:
>
> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
> 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA)
> $ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
> MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=
That's good enough, I'd say. :-)
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptation for Waldorf Blofeld V1.15B11:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-06-01 17:46 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-30 22:06 cygwin.com sftp key fingerprint? Andrew Schulman
2015-05-31 7:15 ` Achim Gratz
2015-05-31 10:24 ` Corinna Vinschen
2015-05-31 21:08 ` Andrew Schulman
2015-06-01 8:50 ` Corinna Vinschen
2015-06-01 16:18 ` Achim Gratz
2015-06-01 16:41 ` Corinna Vinschen
2015-06-01 17:46 ` Achim Gratz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).