[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-users] Savannah's x.509 certificate fingerprints

From: Taylor R Campbell
Subject: [Savannah-users] Savannah's x.509 certificate fingerprints
Date: Tue, 19 Jun 2007 05:43:20 +0000
User-agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/7.7.90.+

I just fetched Savannah's x.509 certificates from
<> and verified the signed PGP message
containing the fingerprints.  I first noticed that that there's a
fingerprint for `cvs.*', without any link to a certificate
above.  Then I checked the fingerprints on all the certificates, and
found that while the certificate authority matched the fingerprint
listed in the signed PGP message, the other two didn't.  Here are the
fingerprints that the signed PGP message claims:
* SHA1 Fingerprint=59:62:0B:EF:A2:AA:FE:C1:6B:39:CB:A5:90:65:42:F5:81:A2:AE:A9
* MD5 Fingerprint=93:9C:BC:3C:2D:7C:42:D4:B1:15:B1:B6:B6:ED:EC:A0
* SHA1 Fingerprint=B9:8A:FE:4B:B8:B5:27:BF:44:71:7A:28:23:19:38:3A:34:E6:83:E0
* MD5 Fingerprint=07:EA:E7:86:B0:0F:F0:0F:7F:AC:82:2C:2E:F2:1B:C3

Here are the actual fingerprints that I obtained with `openssl x509
-fingerprint -noout -in ...', with and without the `-sha1' option to
alter between MD5 and SHA1:
* SHA1 Fingerprint=5C:09:4A:82:12:06:20:89:CF:5F:F2:FC:AE:6A:2C:54:7B:8E:EA:5E
* MD5 Fingerprint=E2:4A:D7:0D:5F:53:A2:54:3A:CA:8B:01:DD:60:91:A4
* SHA1 Fingerprint=CA:06:57:BF:5B:35:94:0E:98:1B:28:81:83:47:BB:07:F4:EC:7B:D1
* MD5 Fingerprint=52:34:FD:6B:42:19:0A:E3:AD:8D:85:37:FF:ED:1B:72

I'm not wizardly enough with OpenSSL to make it verify whether a
certificate was, in fact, signed by an issuer, to check the validity
of the and certificates against
Savannah's certificate authority.  I don't doubt that they were, but
is there any reason why the fingerprints do not match?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]