Your IP:

Support

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.

Domain Name System (DNS) troubles: Bad signature on DNScrypt-proxy

Bottom of Page

1 to 10 of 10

  1.  
    • CommentAuthorentrophi
    • CommentTimeJul 28th 2012 edited
     permalink
    $ gpg dnscrypt-proxy_0.12_i386.deb.sig
    gpg: directory `/home/my_username/.gnupg' created
    gpg: new configuration file `/home/my_username/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/home/my_username/.gnupg/gpg.conf' are not yet active during this run
    gpg: keyring `/home/my_username/.gnupg/secring.gpg' created
    gpg: keyring `/home/my_username/.gnupg/pubring.gpg' created
    gpg: Signature made Tue 17 Jul 2012 02:09:02 PM PDT using DSA key ID 1CDEA439
    gpg: Can't check signature: public key not found

    $ gpg --recv-keys 1CDEA439
    gpg: requesting key 1CDEA439 from hkp server keys.gnupg.net
    gpg: /home/my_username/.gnupg/trustdb.gpg: trustdb created
    gpg: key 1CDEA439: public key "Jedi/Sector One <j@pureftpd.org>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

    $ gpg dnscrypt-proxy_0.12_i386.deb.sig
    gpg: Signature made Tue 17 Jul 2012 02:09:02 PM PDT using DSA key ID 1CDEA439
    gpg: BAD signature from "Jedi/Sector One <j@pureftpd.org>"

    I've never encountered a bad signature before. What do I do now? I guess this bad signature issue is why DNScrypt-proxy doesn't work anymore in the latest attempts at trying because I've gotten it to work before, apparently I did so with a good signature? I decided to start checking the signature because I had learned how and the problem with it not working made me think it was being tampered with. Was I right?
    •  
      CommentAuthorjedisct1
    • CommentTimeJul 28th 2012
     permalink
    Administrator
    I'm pleasantly surprised to see that people are actually checking the signature. That is awesome.

    I just downloaded the .sig file from Github and the signature works fine. May it be an issue with the Github CDN?

    SHA256 for these files:
    $ sha256sum dnscrypt-proxy_0.12_i386.deb dnscrypt-proxy_0.12_i386.deb.sig
    7beb3d304742bf4ea3d35e5dc147c6208e8da875692c06350a176ed87dc8dc3f dnscrypt-proxy_0.12_i386.deb
    0fbb198b0aa111e45a43c97229f2695f4b6d29c2895175323dccdcc02d11affd dnscrypt-proxy_0.12_i386.deb.sig

    And the public PGP key:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.0.7 (OpenBSD)

    mQGiBDyLn3ERBACaS8c1UxJxm/gV6iJkzA82O1TMbBXAJdr0uIkBCtsYnM5GRb1p
    +FSfuulLpB6lOOJAd00TQT06WBeVYYQdepLlL7oBL+13SPBdY2Kw2jZUY9MQZppf
    St4Z0Dy0JFCjn94vLWRd+KZI2sqXsM2/NMYcWSnkO5Ohta5BQFcCpJAHqwCgygUV
    2TWFyNSqvrccIBWQ2I17ZKED/3tQEO1YOenyDV1w44bS6kN0Eh+63cFeIO4t6QJM
    rEJSna7Q0R8VdDaaRpHKzPzLAXNrts66RGUnGdW0AuN7PEeVF2a/v8RaMofbntxT
    Emz3oqG3kIScwk2bXOTI5vtyuyE9LemUkBu+8+GAeOzVNQyqc/R+fu0Fyc8/rQmv
    MrMZA/9YKMb4N7qZacawCASYG+y2fO1ZEUUmC+xsEU4GhY9pQePRpht2WDBO8fQj
    XGNt1Y6bL00XHDCn5KiYc19vC+yg36Wg/lFzouLaT5gKdnZ1RvBJYEeViUMXFMKi
    MqwPVAMUgvrJbO2oPPI+z9/H36F9kOk/TcsGt0ZXM/p0zMscoLQoRnJhbmsgREVO
    SVMgKEplZGkvU2VjdG9yIE9uZSkgPGpANHUubmV0PohGBBMRAgAGBQI9iNjmAAoJ
    EJJrxRcc3qQ5c2UAoJf0tsX2qVB1B3BR8qXhOmi6cjY3AKDBf2y+y/0xsdKz3SP/
    jUmPoTEWyrQgSmVkaS9TZWN0b3IgT25lIDxqQHB1cmVmdHBkLm9yZz6IXwQTEQIA
    HwIbAwQLBwMCAxUCAwMWAgECHgECF4ACGQEFAj2RbHcACgkQkmvFFxzepDkEhgCf
    QEV5k4Bdw4yzG03GFdcipuxeg4kAnAmkamDV3aGdXlAloxYl5hjCq6FhtDdGcmFu
    ayBERU5JUyAoSmVkaS9TZWN0b3IgT25lKSA8MGRheWRpZ2VzdEBwdXJlZnRwZC5v
    cmc+iFwEExECABwFAj2RbjECGwMECwcDAgMVAgMDFgIBAh4BAheAAAoJEJJrxRcc
    3qQ5lbwAniNQ30oCObN3xcOqUGY3PK1AxMiAAKCbvMDXYgzgAna7jW8YM+I/RvJR
    ubkBDQQ8i597EAQAnL2f9pOjM72r9znZ8Zp9UPYuoMVlEcAqEWu02dexYlOczLmU
    nYmAH1EE2znYklEPBvxvOrY6NDLSqxHj9E8aK1OqxJVnG0b/mdUWk6rgu8/5cgB+
    XQOBxgmIc+Y4jxpzVzdst1ezYuBCENykCIw/7pKXMZs9obwF52dGKvFLtpMAAwYD
    /11hDNQLaDdiTP3yDKVx2vp0Hozsp1I+gLfHX7ucCRSRPbQCt25Q8/9cE26UBBJT
    cqiXdSHHxslkm2Bn3DAoUJ8up28tZdfgNA8mnZ+EnBmRLF6TaQIZIi/NVe1VrDAX
    rkDK2+xwm9wHoLCmiRcMWGoeyjUdPPQGvCR6ry0FMhqniEYEGBECAAYFAjyLn3sA
    CgkQkmvFFxzepDmzSgCeLxnh2llbSZrWxzUn9PP9j258FAAAoLr7R//w/MSwN24+
    WkiLGnusVPtk
    =5Jlq
    -----END PGP PUBLIC KEY BLOCK-----
    • CommentAuthorentrophi
    • CommentTimeJul 28th 2012
     permalink
    I got a good signature after saving the public PGP key you posted (as dnscrypt-proxy.pgp in the following example), receiving the keys (there were two this time apparently), and then verifying. This time I downloaded another copy of .deb and .deb.sig files, so that might be why it worked finally. I also checked the sha256sum of the fresh downloads and they matched as well. I'll let you know if the installation finally even works.

    $ gpg dnscrypt-proxy.pgp
    pub 1024D/1CDEA439 2002-03-10 Frank DENIS (Jedi/Sector One) <j@4u.net>
    uid Jedi/Sector One <j@pureftpd.org>
    uid Frank DENIS (Jedi/Sector One) <0daydigest@pureftpd.org>
    sub 1024g/55C7B97C 2002-03-10

    $ gpg --recv-keys 1CDEA439
    gpg: requesting key 1CDEA439 from hkp server keys.gnupg.net
    gpg: key 1CDEA439: "Jedi/Sector One <j@pureftpd.org>" not changed
    gpg: Total number processed: 1
    gpg: unchanged: 1

    $ gpg --recv-keys 55C7B97C
    gpg: requesting key 55C7B97C from hkp server keys.gnupg.net
    gpg: key 1CDEA439: "Jedi/Sector One <j@pureftpd.org>" not changed
    gpg: Total number processed: 1
    gpg: unchanged: 1

    $ gpg dnscrypt-proxy_0.12_i386.deb.sig
    gpg: Signature made Tue 17 Jul 2012 02:09:02 PM PDT using DSA key ID 1CDEA439
    gpg: Good signature from "Jedi/Sector One <j@pureftpd.org>"
    gpg: aka "Frank DENIS (Jedi/Sector One) <j@4u.net>"
    gpg: aka "Frank DENIS (Jedi/Sector One) <0daydigest@pureftpd.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 89F7 B830 0E87 E03C 52B0 5289 926B C517 1CDE A439

    $ sha256sum dnscrypt-proxy_0.12_i386.deb dnscrypt-proxy_0.12_i386.deb.sig
    7beb3d304742bf4ea3d35e5dc147c6208e8da875692c06350a176ed87dc8dc3f dnscrypt-proxy_0.12_i386.deb
    0fbb198b0aa111e45a43c97229f2695f4b6d29c2895175323dccdcc02d11affd dnscrypt-proxy_0.12_i386.deb.sig
    • CommentAuthorentrophi
    • CommentTimeJul 28th 2012 edited
     permalink
    Internet works! Installation succeeded, I changed dns resolver to 127.0.0.1 and then

    $ sudo dnscrypt-proxy --daemonize

    Clicked a link on a webpage and it loaded. It used to not work after every time I would do these steps after downloading several copies because I used to not check the signature. Too bad I deleted from my trash the ones with the bad signature to see if I would still get such. Oh well, thank you. OpenDNS should definitely show the public key and hashes on the github page. Even instruction on the commands to use with them would not take too much space on there, right?
    • CommentAuthorentrophi
    • CommentTimeJul 29th 2012
     permalink
    Never mind, it still failed. I forgot that I had to restart my computer in order for the changes to the DNS address are initiated; so, my test that succeeded in loading pages was never using dnscrypt-proxy or 127.0.0.1 anyway. And when I do use 127.0.0.1 the command

    $ sudo dnscrypt-proxy --daemonize

    does not allow me to load pages. I think my hardware is so old that it does not support much anymore. Even Ubuntu with 12.04 dropped support for such old hardware I use. Therefore, it is probably a problem with my hardware not the software or validation thereof. I'm getting new hardware soon, already bought some of it, so I'll check this out again after I start using that.
  6.  permalink
    Did you also start the daemon? (It should start after a reboot, though.)

    I can't imagine hardware would be a limitation on running DNSCrypt. If you can install an OS on which DNSCrypt will run, it should be fine.
    • CommentAuthorentrophi
    • CommentTimeAug 1st 2012 edited
     permalink
    You mean I should try surfing the Internet in a different session than the one I commanded the daemon? When dnscrypt-proxy worked for me before Ubuntu 12.04 was released I used to have to type

    $ sudo dnscrypt-proxy --daemonize
    $ PASSWORD

    every time after I booted up the computer before I wanted to use the web. Are you saying that is no longer the case and that typing it just once, then rebooting, and not typing it again before attempting to use the Interent will make surfing with dnscrypt-proxy work for me?

    Wait, I just thought that through and that would basically mean that entering the daemonize command twice would null the progress towards successful use of the daemon because I already rebooted it and doing so is how I found that it did not work. Mind you that I did enter the command after rebooting, so was I not supposed to do that?

    EDIT: Sorry, I just reread your comment and I think you were just saying that after rebooting I should enter the daemonize command, not that I shouldn't. But, as I make clear in this comment I already try doing that. So, which interpretation of your comment I make is right?
  8.  permalink
    No, what I mean is that the daemonize command should be stored in a configuration script to start when the system boots. I don't know about this as an argument to dnscrypt-proxy - maybe this creates the daemon/service and starts it as well. This is not the case with every executable one wishes to run as a daemon. Once configured permanently as a daemon, one would have to either reboot or use a command to actually start the process.

    Obviously, the command is not going into a config file, but simply starting the process from the CLI. So, the config must be made permanent by entering a line in a startup config file to either start the process or call a dnscrypt-proxy config file with the relevant entries in it.

    I don't do Ubuntu, nor do I use dnscrypt, so forgive me if this is entirely generic.

    You can always call up the process list to see if it is already running after boot.
    •  
      CommentAuthorjedisct1
    • CommentTimeAug 2nd 2012
     permalink
    Administrator
    People have written startup scripts for Ubuntu that you can use to avoid doing that by hand every time.
    Just Google for Ubuntu + dnscrypt-proxy
    Thankful People: zelus, maintenance
    • CommentAuthorentrophi
    • CommentTimeAug 10th 2012
     permalink
    Thank you guys, especially jedisct1. I found http://www.ab9il.net/crypto/dnscrypt.html with a web search and followed the directions for Ubuntu. Apparently it was a problem with Ubuntu switching to a local dnscache with version 12.04 that makes the dnsmasq program take up IP 127.0.0.1, which dnscrypt-proxy is supposed to use. That is the same time (Ubuntu 12.04 release) dnscrypt broke for me. The instructions on the page I listed shows how to not only make an automatic startup script, but also how to set dnscrypt-proxy to 127.0.0.2 so that it won't interfere with dnsmasq. Now all I want to figure out is how to run a firewall with these setting while dnscrypt-proxy is working; there are just so many dnsmasq ports that are used on startup, only one dnscrypt-proxy port though.
    Thankful People: rotblitz, jedisct1

1 to 10 of 10

  1.  

This discussion has been inactive for longer than 30 days, and is thus closed.