* cygwin.com sftp key fingerprint? @ 2015-05-30 22:06 Andrew Schulman 2015-05-31 7:15 ` Achim Gratz 0 siblings, 1 reply; 8+ messages in thread From: Andrew Schulman @ 2015-05-30 22:06 UTC (permalink / raw) To: cygwin-apps I show the SFTP key fingerprint for cygwin.com as SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM Can anyone please confirm that? Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't find it. If not, would someone mind adding it to the "Uploading Packages to cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so people can verify it? Thanks, Andrew ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-05-30 22:06 cygwin.com sftp key fingerprint? Andrew Schulman @ 2015-05-31 7:15 ` Achim Gratz 2015-05-31 10:24 ` Corinna Vinschen 0 siblings, 1 reply; 8+ messages in thread From: Achim Gratz @ 2015-05-31 7:15 UTC (permalink / raw) To: cygwin-apps Andrew Schulman writes: > I show the SFTP key fingerprint for cygwin.com as > > SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM > > Can anyone please confirm that? > ssh-keygen -lvf cygwin.com.pub 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA) +--[ RSA 1024]----+ | EO&.o.oo o+| | +o* . .o+| | . + . . .| | + o . | | S o | | | | | | | | | +--[MD5]----------+ > awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM= > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't > find it. If not, would someone mind adding it to the "Uploading Packages to > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so > people can verify it? Good idea. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf rackAttack V1.04R1: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-05-31 7:15 ` Achim Gratz @ 2015-05-31 10:24 ` Corinna Vinschen 2015-05-31 21:08 ` Andrew Schulman 0 siblings, 1 reply; 8+ messages in thread From: Corinna Vinschen @ 2015-05-31 10:24 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 1221 bytes --] On May 31 09:15, Achim Gratz wrote: > Andrew Schulman writes: > > I show the SFTP key fingerprint for cygwin.com as > > > > SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM > > > > Can anyone please confirm that? > > > ssh-keygen -lvf cygwin.com.pub > 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 [MD5] cygwin.com (RSA) > +--[ RSA 1024]----+ > | EO&.o.oo o+| > | +o* . .o+| > | . + . . .| > | + o . | > | S o | > | | > | | > | | > | | > +--[MD5]----------+ > > awk '{print $3}' cygwin.com.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 > MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM= > > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't > > find it. If not, would someone mind adding it to the "Uploading Packages to > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so > > people can verify it? > > Good idea. PGA? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-05-31 10:24 ` Corinna Vinschen @ 2015-05-31 21:08 ` Andrew Schulman 2015-06-01 8:50 ` Corinna Vinschen 2015-06-01 16:18 ` Achim Gratz 0 siblings, 2 replies; 8+ messages in thread From: Andrew Schulman @ 2015-05-31 21:08 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 624 bytes --] > > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't > > > find it. If not, would someone mind adding it to the "Uploading Packages to > > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so > > > people can verify it? > > > > Good idea. > > PGA? OK, here you go. The patch is a bit large, because I took the opportunity to reorganize the text a bit and add a new section showing how to upload packages the automated way using cygport up. The complete revised page is at http://home.comcast.net/~andrex2/cygwin/package-upload.html . Andrew [-- Attachment #2: package-upload.html.patch --] [-- Type: application/octet-stream, Size: 5309 bytes --] diff -urN a/package-upload.html b/package-upload.html --- a/package-upload.html 2014-09-30 17:24:48.000000000 -0400 +++ b/package-upload.html 2015-05-31 17:04:19.000000000 -0400 @@ -21,7 +21,10 @@ </p> <h2>Requesting upload privileges</h2> -Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:<pre><tt> Subject: SSH key for upload access + +<p>Send your public ssh key to the <a href="http://cygwin.com/lists.html#cygwin-apps">cygwin-apps</a> using this format:</p> + +<pre><tt> Subject: SSH key for upload access Name: Your Name Package: The name of <b>one</b> (and only one) of the packages that you are responsible for @@ -30,26 +33,56 @@ ---- END SSH2 PUBLIC KEY ---- </tt></pre> -When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br> +<p>When specifying your name, use your exact name as shown at <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.<br> Specifying <b>one</b> package provides you with the ability to upload -any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>. +any of your packages from <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p> <p>The SSH key above should be generated from one of your public keys, e.g.:<pre><tt> ssh-keygen -e -f ~/.ssh/id_rsa.pub</pre></tt></p> -The format of this email is not optional. It is read by a program so please +<p>The format of this email is not optional. It is read by a program so please do not deviate from the above. In particular, don't indent, don't add multiple packages, and <b>do</b> use <a href="http://cygwin.com/cygwin-pkg-maint">your name</a> as -recorded in <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>. +recorded in <a href="http://cygwin.com/cygwin-pkg-maint">http://cygwin.com/cygwin-pkg-maint</a>.</p> <p><b>Note: Send email in this format if you need to update your ssh key.</b></p> <p>Requests are handled manually and are acknowledged publicly in response to email to the <tt>cygwin-apps</tt> mailing list.</p> -<h2>Uploading Files to cygwin.com</h2> -Once the ssh key has been installed you'll have limited + +<h2>Connecting to cygwin.com</h2> + +<p>Once the ssh key has been installed you'll have limited <a href="http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol#SFTP_client">sftp</a> -access to cygwin.com where you will be able to upload packages. An -upload directory on cygwin.com will look like this: +access to cygwin.com, where you will be able to upload packages. You may connect for example by +<tt>sftp cygwin@cygwin.com</tt>, or using lftp as in the example below. When connecting, +make sure that you use the user <tt>cygwin</tt> with no password, and that you are using the +same ssh key as the one that you specified previously.</p> + +<p>The first time you connect, you should verify that the host key fingerprint matches one of +the following hashes:</p> + +<ul> +<li>SHA256 (OpenSSH 6.8 or later): <tt>SHA256:MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM</tt> +<li>MD5 (OpenSSH pre-6.8): <tt>1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23</tt> +</ul> + +<h2>Uploading Files</h2> + +There are two ways to upload finished packages to cygwin.com. + +<h3>Using cygport</h3> + +<p>If you have a <a href="https://cygwin.com/cygport/README">cygport</a> build script for your +packages, the easiest way to upload your finished packages is just to run:<p> + +<pre> cygport pkg.cygport up</pre> + +<p>That will upload your finished packages, taking care of all of the details described in the manual method below.</p> + +<h3>Manually</h3> + +<p>You may also upload files directly, using an sftp client such as sftp or lftp. An upload +directory on cygwin.com will look like this:</p> <pre> Your Name # Directory is currently your full name (you won't actually see this) @@ -60,11 +93,7 @@ pkg-debuginfo # package subdirectories </pre> -<p>When connecting, make sure that you use the user <tt>cygwin</tt> with -no password and that you are using the same ssh key as the one that you -specified previously.</p> - -<p>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages: +<h4>Example using <a href="http://lftp.yar.ru/">lftp</a> to upload packages:</h4> <pre> % lftp sftp://cygwin@cygwin.com @@ -140,7 +169,9 @@ uploaded packages. It doesn't matter where you create this file but it makes sense to put it at the root of your upload directory.</p> -<h2>Example <tt>lftp</tt> upload command line</h3> <pre> From: Christopher Faylor +<h4>Example <tt>lftp</tt> upload command line</h4> + +<pre> From: Christopher Faylor To: cygwin-apps Subject: Re: The upload system is live (Re: Major changes coming to procedure for uploading to sourceware) @@ -155,6 +186,7 @@ cgf </pre> + <h2><a name="deleting">Removing files from the Cygwin distribution</a></h2> To cause files to be removed from the distribution, upload an empty file with the name of the file that you want deleted, prefixed with a "<tt>-</tt>". ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-05-31 21:08 ` Andrew Schulman @ 2015-06-01 8:50 ` Corinna Vinschen 2015-06-01 16:18 ` Achim Gratz 1 sibling, 0 replies; 8+ messages in thread From: Corinna Vinschen @ 2015-06-01 8:50 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 871 bytes --] On May 31 17:08, Andrew Schulman wrote: > > > > Is the key fingerprint posted anywhere on cygwin.com or sourceware.org? I can't > > > > find it. If not, would someone mind adding it to the "Uploading Packages to > > > > cygwin.com" page (https://sourceware.org/cygwin-apps/package-upload.html), so > > > > people can verify it? > > > > > > Good idea. > > > > PGA? > > OK, here you go. The patch is a bit large, because I took the opportunity to > reorganize the text a bit and add a new section showing how to upload packages > the automated way using cygport up. The complete revised page is at > http://home.comcast.net/~andrex2/cygwin/package-upload.html . Applied. Thanks a lot, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-05-31 21:08 ` Andrew Schulman 2015-06-01 8:50 ` Corinna Vinschen @ 2015-06-01 16:18 ` Achim Gratz 2015-06-01 16:41 ` Corinna Vinschen 1 sibling, 1 reply; 8+ messages in thread From: Achim Gratz @ 2015-06-01 16:18 UTC (permalink / raw) To: cygwin-apps Andrew Schulman writes: > OK, here you go. The patch is a bit large, because I took the opportunity to > reorganize the text a bit and add a new section showing how to upload packages > the automated way using cygport up. The complete revised page is at > http://home.comcast.net/~andrex2/cygwin/package-upload.html . Looks good. However, you still haven't verified the fingerprint(s) with Sourceware Overseers or did you? That I'm getting the same fingerprint as you is a good sign, but certainly not a confirmation. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-06-01 16:18 ` Achim Gratz @ 2015-06-01 16:41 ` Corinna Vinschen 2015-06-01 17:46 ` Achim Gratz 0 siblings, 1 reply; 8+ messages in thread From: Corinna Vinschen @ 2015-06-01 16:41 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 1167 bytes --] On Jun 1 18:17, Achim Gratz wrote: > Andrew Schulman writes: > > OK, here you go. The patch is a bit large, because I took the opportunity to > > reorganize the text a bit and add a new section showing how to upload packages > > the automated way using cygport up. The complete revised page is at > > http://home.comcast.net/~andrex2/cygwin/package-upload.html . > > Looks good. However, you still haven't verified the fingerprint(s) with > Sourceware Overseers or did you? That I'm getting the same fingerprint > as you is a good sign, but certainly not a confirmation. Running your commands on sourceware itself shows the exact same results when accessing the public host RSA key: $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA) $ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM= Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat [-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cygwin.com sftp key fingerprint? 2015-06-01 16:41 ` Corinna Vinschen @ 2015-06-01 17:46 ` Achim Gratz 0 siblings, 0 replies; 8+ messages in thread From: Achim Gratz @ 2015-06-01 17:46 UTC (permalink / raw) To: cygwin-apps Corinna Vinschen writes: > Running your commands on sourceware itself shows the exact same > results when accessing the public host RSA key: > > $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub > 1024 1d:1e:46:7f:4d:73:8d:10:20:c3:4c:5a:34:14:44:23 /etc/ssh/ssh_host_rsa_key.pub (RSA) > $ awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | sed 's/ .*$//' | xxd -r -p | base64 > MFNiczzfX8/nvLSRZwR3CxMyycKtMan64Zm4C373FeM= That's good enough, I'd say. :-) Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf Blofeld V1.15B11: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-06-01 17:46 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-05-30 22:06 cygwin.com sftp key fingerprint? Andrew Schulman 2015-05-31 7:15 ` Achim Gratz 2015-05-31 10:24 ` Corinna Vinschen 2015-05-31 21:08 ` Andrew Schulman 2015-06-01 8:50 ` Corinna Vinschen 2015-06-01 16:18 ` Achim Gratz 2015-06-01 16:41 ` Corinna Vinschen 2015-06-01 17:46 ` Achim Gratz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).