If the user's account status changes, the Faculty administration will automatically inform the user by email. In particular, notifications are automatically sent out about account creation (or renewal), impending account cancellation or account (un)blocking. To increase the credibility of these messages, the Faculty Administration signs them with its PGP key. On this page we describe how users can install the Faculty Administration's public key into their GnuPG and PGP key databases.
NoticeIf you use PGP without a basic understanding of its mechanism, you will not increase the security or trustworthiness of your communications. On the contrary, you will expose your key to a high risk of misuse with all its consequences. It is safer not to use PGP at all than to use it badly. You can increase your knowledge of PGP, for example, by visiting the GnuPG project. You can also find much more information and links on the OpenPGP website.
Faculty Administration Public KeyThe Faculty Administration public key is available at https://fadmin.fi.muni.cz/noauth/fadmin_key.pub. The key will be transmitted over a secure connection, which limits the possibility of it being spoofed if you already have a trusted Faculty Administration SSL certificate installed. The public key fingerprint is:
94A1 8BE2 DDB4 06CC 3D00 9DF9 E237 46F8 6D44 85C8You can also verify the fingerprint over a secure connection at https://fadmin.fi.muni.cz/noauth/fadmin_key.fpr You can also use an unsecured connection:
Installing the key in GnuPGDownload the public key to a local directory in the file
fadmin_key.puband perform the following sequence of commands. Add the Faculty Administration key to your public key database.
Verify that the fingerprint of the key is the same as above. If it is not, the key is either fraudulent or has been corrupted in transit. In this case, delete it immediately:
$ gpg --import fadmin_key.pub gpg: klíč 6D4485C8: veřejný klíč "Fakultní administrativa FI MU <
fadminSC3dKtgG3@fim80td2GiO.muniNp4I-8zIi.cz>" importován gpg: Celkový počet zpracovaných klíčů: 1 gpg: importováno: 1 $ gpg --edit-key fadmin Příkaz> fpr pub 1024D/6D4485C8 2003-06-24 Fakultní administrativa FI MU <
fadmintn8uERlS1@fiwaZ0uqFOi.munis7XCI8KHb.cz> Primární fingerprint klíče: 94A1 8BE2 DDB4 06CC 3D00 9DF9 E237 46F8 6D44 85C8 Příkaz> quit
If the fingerprint is correct, the key is already installed and GnuPG will use it to verify signatures from the Faculty Administration. However, after each verification, it will probably issue a warning that the key is not trusted. The trustworthiness of PGP keys is based on the so-called Net of Trust. You can either mark it as trusted or sign it with another trusted key. Here is how you mark a key as trusted for your own use, but do not allow anyone else to consider the Faculty Administration key trusted based on your trust. First, you must mark the public key of your secret key as trusted.
$ gpg --delete-key fadmin Smazat tento klíč ze souboru klíčů? (a/N) a
Now sign the Faculty Administration key locally (for your own use - not exportable) with your secret key.
$ gpg --edit-key vas_klic Tajný klíč je dostupný. Příkaz> trust Prosím rozhodněte, nakolik důvěřujete tomuto uživateli, že správně verifikuje klíče jiných uživatelů (prohlédnutím cestovních pasů, kontrolou fingerprintů z různých zdrojů...)? 1 = Nevím nebo neřeknu 2 = Nedůvěřuji 3 = Důvěřuji částečně 4 = Důvěřuji úplně 5 = Důvěřuji absolutně m = zpět do hlavního menu Vaše rozhodnutí? 5 Opravdu chcete nastavit pro tento klíč absolutní důvěru? (a/N) a Příkaz> quit
Based on this signature, the Faculty Administration key will be considered trusted.
$ gpg --edit-key fadmin Příkaz> lsign Opravdu podepsat všechny id uživatele? (a/N) a Podpis bude označen jako neexportovatelný. Skutečně podepsat? (a/N) a Musíte znát heslo, abyste odemknul(a) tajný klíč: Příkaz> quit Uložit změny? (a/N) a
Installing the key in PGPThe procedure is very similar to using GnuPG. Due to the wider possibilities, we additionally recommend using GnuPG instead of PGP. Therefore, we will shorten the description in this section by adding some explanations that can be found in the previous section. Download the public key to a local directory in the file
fadmin_key.puband add it to your public key database.
Verify that the fingerprint written out is identical to the one above. If it is not, delete the key immediately.
$ pgp -ka fadmin_key.pub keyfile contains 1 new keys. Add these keys to keyring ? (Y/n) Y $ pgp -kvc fadmin Looking for user ID "fadmin". Type bits keyID Date User ID DSS 1024/1024 0x6D4485C8 2003/06/24 Fakultní administrativa FI MU <
fadminWN_2Aa6Ep@fiin5w1bfmV.muni_Vuf0=MkW.cz> Key fingerprint = 94 A1 8B E2 DD B4 06 CC 3D 00 9D F9 E2 37 46 F8 6D 44 85 C8 Fakultní administrativa FI MU <
fadmin-YcHLnB3L@fiGQ78uoca5.muni5163pixcF.cz> 1 matching key found.
If the fingerprint is correct, the key is already installed and PGP will use it. However, it will probably not consider it trusted and will warn you every time it is used. There is only one general way we know of to mark a key as trusted in PGP: sign it with your own key. Note: By signing a key, you are publicly stating your belief that the signed key actually belongs to the Faculty Administration - PGP does not allow you to sign a key locally only, so you may occasionally export this signature to a public keyserver. Only proceed to this step if you really know you are signing the correct key.
$ pgp -kr fadmin Do you want to remove the whole key (y/N)? y
Now the key is installed and PGP will consider it trusted.
$ pgp -ks fadmin READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above public key actually belongs to the user specified by the above user ID (y/N)? y You need a pass phrase to unlock your secret key. Enter pass phrase: Passphrase is good Attach a regular expression to this signature, or press enter for none: