cygwin.com sftp key fingerprint?

cygwin.com sftp key fingerprint?

[Andrew Schulman]

I show the SFTP key fingerprint for cygwin.com as

    SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM

Can anyone please confirm that?  

Is the key fingerprint posted anywhere on cygwin.com or sourceware.org?  I can't
find it.  If not, would someone mind adding it to the "Uploading Packages to
cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
people can verify it?

Thanks,
Andrew

Re: cygwin.com sftp key fingerprint?

[Achim Gratz]

Andrew Schulman writes:
> I show the SFTP key fingerprint for cygwin.com as
>
>     SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM
>
> Can anyone please confirm that?  

> ssh-keygen -lvf cygwin.com.pub
1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA)
+--[ RSA 1024]----+
|      EO&.o.oo o+|
|       +o* .  .o+|
|      .   + . . .|
|         + o .   |
|        S o      |
|                 |
|                 |
|                 |
|                 |
+--[MD5]----------+
> awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=

> Is the key fingerprint posted anywhere on cygwin.com or sourceware.org?  I can't
> find it.  If not, would someone mind adding it to the "Uploading Packages to
> cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> people can verify it?

Good idea.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf rackAttack V1.04R1:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: cygwin.com sftp key fingerprint?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1221 bytes --]

On May 31 09:15, Achim Gratz wrote:
> Andrew Schulman writes:
> > I show the SFTP key fingerprint for cygwin.com as
> >
> >     SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM
> >
> > Can anyone please confirm that?  
> 
> > ssh-keygen -lvf cygwin.com.pub
> 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA)
> +--[ RSA 1024]----+
> |      EO&.o.oo o+|
> |       +o* .  .o+|
> |      .   + . . .|
> |         + o .   |
> |        S o      |
> |                 |
> |                 |
> |                 |
> |                 |
> +--[MD5]----------+
> > awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
> MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=
> 
> > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org?  I can't
> > find it.  If not, would someone mind adding it to the "Uploading Packages to
> > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > people can verify it?
> 
> Good idea.

PGA?


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: cygwin.com sftp key fingerprint?

[Andrew Schulman]

[-- Attachment #1: Type: text/plain, Size: 624 bytes --]

> > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org?  I can't
> > > find it.  If not, would someone mind adding it to the "Uploading Packages to
> > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > > people can verify it?
> > 
> > Good idea.
> 
> PGA?

OK, here you go.  The patch is a bit large, because I took the opportunity to
reorganize the text a bit and add a new section showing how to upload packages
the automated way using cygport up.  The complete revised page is at
http://home.comcast.net/~andrex2/cygwin/package-upload.html .

Andrew

[-- Attachment #2: package-upload.html.patch --]
[-- Type: application/octet-stream, Size: 5309 bytes --]

diff -urN a/package-upload.html b/package-upload.html
--- a/package-upload.html	2014-09-30 17:24:48.000000000 -0400
+++ b/package-upload.html	2015-05-31 17:04:19.000000000 -0400
@@ -21,7 +21,10 @@
 </p>
 
 <h2>Requesting upload privileges</h2>
-Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:<pre><tt>    Subject: SSH key for upload access
+
+<p>Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:</p>
+
+<pre><tt>    Subject: SSH key for upload access
 
     Name: Your Name
     Package: The name of <b>one</b> (and only one) of the packages that you are responsible for
@@ -30,26 +33,56 @@
     ---- END SSH2 PUBLIC KEY ----
 </tt></pre>
 
-When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br>
+<p>When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br>
 Specifying <b>one</b> package provides you with the ability to upload
-any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.
+any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p>
 
 <p>The SSH key above should be generated from one of your public keys, e.g.:<pre><tt>    ssh-keygen -e -f ~/.ssh/id_rsa.pub</pre></tt></p>
 
-The format of this email is not optional.  It is read by a program so please
+<p>The format of this email is not optional.  It is read by a program so please
 do not deviate from the above.  In particular, don't indent, don't add multiple
 packages, and <b>do</b> use <a href="http://cygwin.com/cygwin-pkg-maint">your name</a> as
-recorded in  <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.
+recorded in  <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p>
 
 <p><b>Note: Send email in this format if you need to update your ssh key.</b></p>
 
 <p>Requests are handled manually and are acknowledged publicly in
 response to email to the <tt>cygwin-apps</tt> mailing list.</p>
-<h2>Uploading Files to cygwin.com</h2>
-Once the ssh key has been installed you'll have limited
+
+<h2>Connecting to cygwin.com</h2>
+
+<p>Once the ssh key has been installed you'll have limited
 <a href="http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol#SFTP_client">sftp</a>
-access to cygwin.com where you will be able to upload packages.  An
-upload directory on cygwin.com will look like this:
+access to cygwin.com, where you will be able to upload packages.  You may connect for example by
+<tt>sftp cygwin@cygwin.com</tt>, or using lftp as in the example below.  When connecting,
+make sure that you use the user <tt>cygwin</tt> with no password, and that you are using the
+same ssh key as the one that you specified previously.</p>
+
+<p>The first time you connect, you should verify that the host key fingerprint matches one of
+the following hashes:</p>
+
+<ul>
+<li>SHA256 (OpenSSH 6.8 or later): <tt>SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM</tt>
+<li>MD5 (OpenSSH pre-6.8): <tt>1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23</tt>
+</ul>
+
+<h2>Uploading Files</h2>
+
+There are two ways to upload finished packages to cygwin.com.
+
+<h3>Using cygport</h3>
+
+<p>If you have a <a href="https://cygwin.com/cygport/README">cygport</a> build script for your
+packages, the easiest way to upload your finished packages is just to run:<p>
+
+<pre>    cygport pkg.cygport up</pre>
+
+<p>That will upload your finished packages, taking care of all of the details described in the manual method below.</p>
+
+<h3>Manually</h3>
+
+<p>You may also upload files directly, using an sftp client such as sftp or lftp. An upload
+directory on cygwin.com will look like this:</p>
 
 <pre>
     Your Name                   # Directory is currently your full name (you won't actually see this)
@@ -60,11 +93,7 @@
            pkg-debuginfo        # package subdirectories
 </pre>
 
-<p>When connecting, make sure that you use the user <tt>cygwin</tt> with
-no password and that you are using the same ssh key as the one that you
-specified previously.</p>
-
-<p>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages:
+<h4>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages:</h4>
 
 <pre>
     % lftp sftp://cygwin@cygwin.com
@@ -140,7 +169,9 @@
 uploaded packages.  It doesn't matter where you create this file but
 it makes sense to put it at the root of your upload directory.</p>
 
-<h2>Example <tt>lftp</tt> upload command line</h3> <pre>    From: Christopher Faylor
+<h4>Example <tt>lftp</tt> upload command line</h4>
+
+<pre>    From: Christopher Faylor
     To: cygwin-apps
     Subject: Re: The upload system is live (Re: Major changes coming to
             procedure for uploading to sourceware)
@@ -155,6 +186,7 @@
     
     cgf
 </pre>
+
 <h2><a name="deleting">Removing files from the Cygwin distribution</a></h2>
 
 To cause files to be removed from the distribution, upload an empty file with the name of the file that you want deleted, prefixed with a "<tt>-</tt>".

Re: cygwin.com sftp key fingerprint?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 871 bytes --]

On May 31 17:08, Andrew Schulman wrote:
> > > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org?  I can't
> > > > find it.  If not, would someone mind adding it to the "Uploading Packages to
> > > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so
> > > > people can verify it?
> > > 
> > > Good idea.
> > 
> > PGA?
> 
> OK, here you go.  The patch is a bit large, because I took the opportunity to
> reorganize the text a bit and add a new section showing how to upload packages
> the automated way using cygport up.  The complete revised page is at
> http://home.comcast.net/~andrex2/cygwin/package-upload.html .

Applied.


Thanks a lot,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: cygwin.com sftp key fingerprint?

[Achim Gratz]

Andrew Schulman writes:
> OK, here you go.  The patch is a bit large, because I took the opportunity to
> reorganize the text a bit and add a new section showing how to upload packages
> the automated way using cygport up.  The complete revised page is at
> http://home.comcast.net/~andrex2/cygwin/package-upload.html .

Looks good.  However, you still haven't verified the fingerprint(s) with
Sourceware Overseers or did you?  That I'm getting the same fingerprint
as you is a good sign, but certainly not a confirmation.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: cygwin.com sftp key fingerprint?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1167 bytes --]

On Jun  1 18:17, Achim Gratz wrote:
> Andrew Schulman writes:
> > OK, here you go.  The patch is a bit large, because I took the opportunity to
> > reorganize the text a bit and add a new section showing how to upload packages
> > the automated way using cygport up.  The complete revised page is at
> > http://home.comcast.net/~andrex2/cygwin/package-upload.html .
> 
> Looks good.  However, you still haven't verified the fingerprint(s) with
> Sourceware Overseers or did you?  That I'm getting the same fingerprint
> as you is a good sign, but certainly not a confirmation.

Running your commands on sourceware itself shows the exact same
results when accessing the public host RSA key:

$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA)
$ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: cygwin.com sftp key fingerprint?

[Achim Gratz]

Corinna Vinschen writes:
> Running your commands on sourceware itself shows the exact same
> results when accessing the public host RSA key:
>
> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
> 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA)
> $ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64
> MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM=

That's good enough, I'd say.  :-)


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf Blofeld V1.15B11:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada