Security

It is important to me that my software protects the privacy and security of its users. This page explains how to verify the authenticity of my software, and why it is important that you do so.

If you have discovered a security vulnerability in my software, please disclose it responsibly.

Verifying releases

All software I release is signed with my OpenPGP key. This allows you to verify that my software hasn’t been tampered with. It is highly recommended that you verify the signatures of releases before installing them or running any scripts they contain.

Signature files can be obtained from files.janikrabe.com. They have file names ending in ‘.asc’ and can be found in the same directory as the corresponding release.

If you use GnuPG, you can verify signatures using the following command:

gpg --verify <signature-file> <release-file>

If the key is trusted, this should produce the following message:

gpg: Signature made <date-and-time>
gpg:                using RSA key 63694DD76ED116B84D286F75C4CD3CE186D1CA13
gpg: Good signature from "Janik Rabe <info@janikrabe.com>" [<trust-level>]

Cryptographic keys

OpenPGP

My OpenPGP key is 6369 4DD7 6ED1 16B8 4D28 6F75 C4CD 3CE1 86D1 CA13. This is a 4096-bit RSA key valid from January 1, 2020 to January 1, 2040.

My previous key 23D5 97D9 expired on January 1, 2020. If you still have this key on file, you can use the rollover statement to verify the authenticity of my current key.

LD-OTS

The following fingerprints are cryptographic digests of public keys for the Lamport-Diffie one-time signature scheme (LD-OTS).

Should a large quantum computer be built that threatens the security of 4096-bit RSA, these LD-OTS keys will be used to sign a new public key. Messages should only be trusted if they are signed with both LD-OTS keys.

BLAKE2/512:
	6825d6f5 23f62829 df733b0e c7df0589
	114bca8a d7428ea0 3c4353bf 92826572
	adb8574e 81f3a6c6 b357f244 772f8bb9
	e62176e1 80b08004 8dc9a810 ba9c691e

SHA2/512:
	7ec1a651 6e5ec1cf 1105df2a 2d4818ad
	73b64a1b 100c1c63 301b58b1 694e9e06
	b9664d97 ef3c956c 569987ca e75aa002
	107aa295 f4599784 ece79a99 cd3efd47

Reporting security issues

If you believe you have discovered a security vulnerability in my software, please contact me at security@janikrabe.com.

If you choose to use OpenPGP to encrypt your communication with me, please make sure to encrypt to the correct subkey.

I will respond promptly to all reports and work with downstream distributors to make sure users receive patches as quickly as possible. In exchange, I ask you not to make vulnerabilities public before a fix has been released.