Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
106 lines (72 sloc) 4.97 KB
---===[ PC Engines Canary #2 ]===---
Statements
-----------
The 3mdeb firmware developers who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is September 18, 2019.
2. The 3mdeb Master Signing Key fingerprint is:
F78F 1CBC 2193 38BB 0340 08D7 BCBD 680B 6634 6D19
3. PC Engines Open Source Firmware Release 4.10 Signing Key is signed
by 3mdeb Open Source Firmware Master Key, which is signed by 3mdeb
Master Key.
4. No warrants have ever been served to us with regard to the PC Engines
firmware (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
two weeks of February 2020. Special note should be taken if no new canary
is published by that time or if the list of statements changes without
plausible explanation.
6. Due to new coreboot 4.10 release the PC Engines firmware binaries are
going to be signed with PC Engines Open Source Firmware Release 4.10
Signing Key with following fingerprint:
3B71 0228 A477 4C4F CB31 5876 233D 0487 B3A7 A83C
7. The PC Engines firmware versions beginning from v4.0.28 and v4.10.0.0
are being signed with PC Engines Open Source Firmware Release 4.10 Signing
Key unless a new official coreboot release is announced. New coreboot
release should follow a new key generation, which public signature should
be available on 3mdeb-secpack repository.
7. This canary has been annouced with a month long delay due to the
absence of the main keys holder.
Disclaimers and notes
----------------------
We would like to remind you that PC Engines firmware is being released
under the assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any PC Engines firmware-related data,
in particular, firmware updates, source code repositories, and firmware
downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers' laptops, to coerce
us to produce false declarations.
The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.
Proof of freshness
-------------------
$ date -R -u
Wed, 18 Sep 2019 15:26:38 +0000
$ feedstail -1 -n5 -f '{title}' -u https://www.spiegel.de/international/index.rss
Football Leaks Lawyer: 'In Germany, Pinto Never Would Have Been Sent to Jail' 'Special Advisers': Investigators Target Illicit Trade in Diplomatic Passports Interview with Edward Snowden: 'If I Happen to Fall out of a Window, You Can Be Sure I Was Pushed' Return to Gadhafi Era in Libya: A Warlord Rebuilds Benghazi in His Own Image Alternative for Democracy: The AfD's Ongoing Slide toward Right-Wing Extremism
$ feedstail -1 -n5 -f '{title}' -u https://rss.nytimes.com/services/xml/rss/nyt/World.xml
Hard-Liners in Iran See No Drawback to Bellicose Strategy Duterte Says He Ordered a Politician Killed; a Spokesman Says He Misspoke After Tight Israeli Election, Netanyahu’s Tenure Appears Perilous Spain Heads to 4th Election in 4 Years After Failure to Form Government Nobel Peace Laureate Could Face Prosecution Over Myanmar Military’s Actions
$ feedstail -1 -n5 -f '{title}' -u https://feeds.bbci.co.uk/news/world/rss.xml
Saudi Arabia presents 'oil attacks evidence' Israel election: Netanyahu and rival Gantz headed for deadlock Liberia school fire leaves many children dead near Monrovia Robert O'Brien: Trump names new national security adviser Afghanistan war: Taliban tell Trump their 'doors are open'
$ feedstail -1 -n5 -f '{title}' -u http://feeds.reuters.com/reuters/worldnews
Trump orders more Iran curbs, Saudi shows attack evidence Israel's Netanyahu fails to win majority in close election Hong Kong horse races, fireworks called off amid protest threat U.S. Asia official welcomes news of Hong Kong dialogue Russia frees jailed protester as teachers, priests demand end to crackdown
$ curl -s 'https://blockchain.info/blocks/?format=json' |\
python3 -c 'import sys, json; print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
0000000000000000000bbd092c8f5839db97dbcc388a5060feef5064dae11d99
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this
canary in the 3mdeb-secpack.git repo, and (2) via digital signatures
on the corresponding 3mdeb-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures!
You can’t perform that action at this time.