BusKill Canaries

The BusKill team publishes cryptographically signed warrant canaries on a biannual basis.

Although security is one of our top priorities, we might not be able to inform you of of a breach if served with a State-issued, secret subpoena (gag order).

The purpose of publishing these canary statements is to indicate to our users the integrity of our systems.

To view all of our canary statements, see:

• https://www.buskill.in/category/Canary/

Verification Instructions

For instructions on receiving and verifying our current BusKill Release Signing Key, see:

* https://docs.buskill.in/buskill-app/en/stable/security/pgpkeys.html

After you have verified & imported our Release Signing key, execute the following (instructions are for a Debian-based system)

gpg

At the prompt, simply paste the contents of the canary statement: everything in-between (and including) the lines `-----BEGIN PGP MESSAGE-----` `-----END PGP MESSAGE-----` and press ctrl+D.

You should get output that is similar to the following (note the date will change, based on when the canary statement was signed):

gpg: Signature made Fri 16 Oct 2020 09:27:33 PM CEST
gpg:                using RSA key 798DC1101F3DEC428ADE124D68B8BCB0C5023905
gpg: Good signature from "BusKill Releases Signing Key 2020.07 " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A
     Subkey fingerprint: 798D C110 1F3D EC42 8ADE  124D 68B8 BCB0 C502 3905

You should make sure that it says "Good signature" in the output and confirm that the keyid matches the one you verified at the time you first imported our key into your personal keyring. If this text has been altered, then this information should not be trusted.

Unless you have taken explicit steps to build a trust path to the BusKill Release Signing Key, you will see a warning message similar to:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

However, you still should see the "Good signature".

Further Reading

Please see the following external links for more information about common use of warrant canaries.

1. EFF's Warrant Canary FAQs
2. Riseup Canary Statement
3. First Look Media's AutoCanary
4. carrotcypher's Standardized Model for Warrant Canaries
5. QubesOS Canaries