Merge pull request #1 from j01tz/dev

Add directories and files for keys, canaries, CVEs, audits

CVEs/CVE-2019-9195.md

@@ -0,0 +1,107 @@
+CVE-2019-9195
+=============
+
+| CVSS v3.0 Severity and Metrics | |
+|---|---|
+| Base Score | 9.8 CRITICAL |
+| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
+| Impact Score | 5.9 |
+| Exploitability Score | 3.9 |
+| Attack Vector (AV) | Network |
+| Attack Complexity (AC) | Low |
+| Privileges Required (PR) | None |
+| User Interaction (UI) | None |
+| Scope (S) | Unchanged |
+| Confidentiality (C) | High |
+| Integrity (I) | High |
+| Availability (A) | High |
+
+## Summary
+On Friday February 22nd 2019 we were notified of a critical security vulnerability through our responsible disclosure process. A fix was released as part of v1.0.2 three days later, on Monday Feb 25 2019 and CVE-2019-9195 reserved. This document provides details on the vulnerability, the fix, and what measures we have taken to protect Grin users.
+
+The vulnerability was discovered by the security firm we hired for our audit, Coinspect. It is related to the node syncing process and made it possible for a remote attacker to obtain write access to any part of the filesystem the node process had privileges to. This issue was fixed as part of the release of v1.0.2 and therefore we urge you to upgrade to v1.0.2 immediately. Users who are running this version or greater are not exposed. We have not seen any signs of the attack having been exploited, but we cannot know for sure that it has not been either.
+
+At the time of this writing, Mainnet Grin is ~49 days old. Its simple design, minimal cryptographic assumptions, and implementation in Rust, avoid many pitfalls. And whilst user safety is a high priority for us and we do our best to ensure it, it’s important to underline that Grin is still highly experimental software that is bound to have many bugs.
+
+### Recommended Action Checklist
+1.  Consider any environment that a v1.0.1 node or below was running in and had privileges to as potentially exposed.
+2.  Boot up v1.0.2 nodes in a new environment.
+3.  Never run grin as `root`.
+
+## Background
+
+### Third-Party Disclosure
+On Tuesday, Feb 26 2019, the vulnerability was disclosed on keybase to known Grin exchanges, Grin mining pools, and selected MimbleWimble implementations, revealing that the vulnerability is related to the syncing process and makes it possible for a remote attacker to obtain file system write access to any part of the filesystem the node process has privileges to, and urging an upgrade to 1.0.2.
+
+### Timeline of Events
+* Feb 22nd - responsible disclosure by coinspect
+* Feb 25th - fix released with v1.0.2, CVE assigned
+* Feb 26th - limited disclosure to mining pools and exchanges
+* Mar 5th - Public disclosure
+
+## Technical Details
+The vulnerability makes it possible for a remote attacker to obtain file system write access to any part of the filesystem the node process has privileges to, and subsequent arbitrary code execution if a binary is replaced (for example the grin binary itself). This is caused by a Zip Slip in the extraction process of the zip that contains the blockchain state, necessary for a node to get synchronized with the latest chain.
+
+To exploit the vulnerability, an attacker needs to provide a forged zip file to a Grin node that’s trying to synchronize itself with the latest state of the blockchain. This can happen either on first startup, or subsequently is a node is stopped for more than a few days and then restarted.
+
+## Detailed Fix Description
+In short, remediating the vulnerability was done with 2 fixes:
+
+1. Detect paths that would result in creating a file outside of the directory
+the zip is being extracted into and skip the corresponding zip file.
+2. Filter files extracted from the zip from a whitelist of the data files we
+expect in a Grin state archive.
+
+The txhashset zip file obtained from peers should only contain paths
+```
+kernel/pmmr_data.bin
+kernel/pmmr_hash.bin
+rangeproof/pmmr_prun.bin
+rangeproof/pmmr_leaf.bin.<blockhash>
+rangeproof/pmmr_data.bin
+rangeproof/pmmr_hash.bin
+output/pmmr_prun.bin
+output/pmmr_leaf.bin.<blockhash>
+output/pmmr_data.bin
+output/pmmr_hash.bin
+```
+where `<blockhash>` is a block hash shortened to the first 12 hex digits, such as 0000045a7af3.
+
+A bad zip file could however contain a path
+
+`../../../grin/target/release/grin`
+
+to try and overwrite the grin executable. The old `zip::decompress` function in `util/src/zip.rs` had no safeguard against such paths.
+
+The fixed version in `util/src/zip.rs` has an additional 3rd argument string of expected filepaths,
+which function `expected_file` in `chain/src/txhashset/txhashset.rs` computes as
+```
+format!(
+  r#"^({}|{}|{})(/pmmr_(hash|data|leaf|prun)\.bin(\.\w*)?)?$"#,
+  OUTPUT_SUBDIR, KERNEL_SUBDIR, RANGE_PROOF_SUBDIR
+)
+.as_str()
+```
+capturing the above file paths.
+
+When iterating over all file paths in the zip file, the fixed code applies function `sanitized_name` to each one. The `zip-rs` crate documentation describes its function as:
+>Get the name of the file in a sanitized form. It truncates the name to the first NULL byte, removes a leading ‘/’ and removes .. parts.
+
+If its sanitized name differs from the filepath (as is the necessarily the case when escaping the target directory) or if the sanitized name doesn’t satisfy the regular expression, then we log
+
+`info!("ignoring a suspicious file: {}", file.name());`
+
+and skip the file.
+
+## Related Links
+https://www.grin-forum.org/t/critical-vulnerability-in-grin-1-0-1-and-older-fixed-in-1-0-2/4343
+
+https://nvd.nist.gov/vuln/detail/CVE-2019-9195
+
+https://snyk.io/research/zip-slip-vulnerability
+
+https://github.com/mimblewimble/grin/blob/master/SECURITY.md#responsible-disclosure
+
+https://github.com/mimblewimble/grin/pull/2624/files#diff-4830eb666aacb357a3d8f21720bf2651
+
+https://www.grin-forum.org/t/how-do-i-update-my-node-wallet-miner-etc/2633

README.md

@@ -1,2 +1,17 @@
-# grin-security
-Security related data and information for all aspects of Grin  
+Grin Security
+=============
+
+Grin's security policy is available at https://github.com/mimblewimble/grin/blob/master/SECURITY.md
+
+This git repository is a central place for all other security-related
+information about the Grin project. It includes the following:
+
+* Grin PGP keys (`keys/`)
+* Grin canaries (`canaries/`)
+* Grin CVEs (`CVEs/`)
+* Grin audits (`audits/`)
+
+The files contained in this repository can be verified in two ways:
+
+* By verifying the git commit tags (`git tag -v`)
+* By verifying the detached PGP signatures provided for most files included here

audits/001-secp256k1-extensions-status.md

@@ -0,0 +1,14 @@
+# 001 - secp256k1 Extensions Audit
+
+_This document tracks the status of issues raised during audit of Grin’s secp256k1 extensions by Jean-Philippe Aumasson._
+
+| ID | Description | Status |
+|---|---|---|
+| 2.1 | Optimized out dead assignment may leak sensitive data | _No changes due to impossibility of enforcing this compiler-side. Binary still needs to be reviewed manually._ |
+| 2.2 | Missing null pointers checks   | _Addressed by_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 |
+| 3.1 | Unfreed heap allocations | _Addressed by_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 |
+| 3.2 | Unchecked heap allocation | _Addressed by_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 _but still room for improvement for NULL checking in_ `secp256k1_aggsig_build_scratch_and_verify()`. |
+| 3.3 | `secp256k1_compute_sighash_single()` always returns `1` with `scalar_low_impl.h` | _Addressed by_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 |
+| 3.4 | Unnecessary operations | _Should be a non-issue. See comments regarding short circuiting behaviour in_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 |
+| 3.5 | Unnecessary operation | _Addressed by_ https://github.com/mimblewimble/secp256k1-zkp/pull/37 |
+| 3.6 | Faster rejection of invalid parameters | _Non-issue, early nbit parameter check already exists_ |

canaries/canary-001-2019-q4.txt

@@ -0,0 +1,53 @@
+---===[ Grin Canary #001 ]===---
+
+
+Statements
+-----------
+
+The Grin security contacts who have digitally signed this canary state the following:
+
+1. The date of issue of this canary is September 19, 2019.
+
+2. The latest Grin release is v2.0.0 `8f3be49`
+
+3. No warrants have ever been served to us with regard to the Grin
+Project (e.g. to hand out the private signing keys or to introduce
+backdoors).
+
+4. We plan to publish the next of these canary statements in the first
+two weeks of January 2020. Special note should be taken if no new canary
+is published by that time or if the list of statements changes without
+plausible explanation.
+
+Special announcements
+----------------------
+
+None.
+
+Disclaimers and notes
+----------------------
+
+This canary scheme is not infallible. Although signing the declaration
+makes it very difficult for a third party to produce arbitrary
+declarations, it does not prevent them from using force or other
+means, like blackmail or compromising the signers' laptops, to coerce
+us to produce false declarations.
+
+The block hashes quoted below (Proof of freshness) serve to demonstrate
+that this canary could not have been created prior to the date stated.
+It shows that a series of canaries was not created in advance.
+
+This declaration is merely a best effort and is provided without any
+guarantee or warranty. It is not legally binding in any way to
+anybody. None of the signers should be ever held legally responsible
+for any of the statements made here.
+
+Proof of freshness
+-------------------
+
+$ date -R -u && grin client status | grep 'Last block' | cut -c 18- && curl -s 'https://blockstream.info/api/blocks/tip/hash'; echo && curl -s 'https://api.blockcypher.com/v1/ltc/main' | grep '"hash' | cut -c 12-75 && curl -s 'https://api.blockcypher.com/v1/eth/main' | grep '"hash' | cut -c 12-75
+Thu, 19 Sep 2019 19:36:23 +0000
+000000829f8046695db7ec8389d474808e56db4bdfecfaf93aeeb121b5ba01b0
+000000000000000000092adde0b17083d0972ccac3f384fb5b63257242183e71
+4f8ab8ba2dd1644b1bd2b50ca4efb27000efd5fd5436787b7d5b5be6db4fc5ad
+afd5ba17ded0c395cd56bb88cfe7f17f10404f2c6749f03304e65f2c85879fec

canaries/canary-001-2019-q4.txt.asc.hashmap

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEmisHTjBkkHEpSwnPkZyxZfYeCV8FAl2YOI4ACgkQkZyxZfYe
+CV9x2xAAvDIm5DK1PpWNPQ+JZkxpAZnnUvA4dLx/QVQo9Umk2Lb8BMXcHW4/N0aN
+FYLhDIjm6ZPsIsc5VW1hYx/1iUjeqqk2ivoxIh2CEUDd3fQ6gz4lcrR41nlnNl8H
+U63cSCGHuzRLTVWBeSoX6wU8P8qmqlQ7gbDjquSqTkcjnxrtk6YL60bcp0iLS3c7
+AV8foYK3uXjhppA8tfqjD3ry/dCu5gPPV1Dq8vCgZShqyhupMP3xnAhHpgDaECeq
+D1oGaBQhNDCp/3yfOQp/wcuB4sE1JPZpv+gODM7hNZM8siMb7e0DlK//3IbD/EFg
+b7Drlde64c0Ke3tbdWWi9yXrG66WYRH/M1jM8YrWjAVyvp4vPGE6ghfBh2dW+gqT
+4VAcY74PyWKBdnbPwCWyd4B+aTnAGoxnuOoXNZJqM+1oTbs1W2w8uWO3kbOybgEY
+YxUwSfh9WdofmFB0aUTItsPf80K6OyfGysvJ6ceTVvpSpBeemB8FvT7+9fffyeVI
+ZLjU2OQFq/SwSlTdh59/jQGXvotN3s0U36o/jzw0yIB9J5cBy3aRilo3NdSv8J/4
+WtsxFhxFHtj7qgIC2W4PDcxsmet6fQ+tVpk0MlKRJ3bWluB/KNKes8CqMHZHglbr
+eOYSJW661keVzaxkWvcsV1wJRGou7Gs84n4gYYsIJUVQmr7rGZg=
+=rXcL
+-----END PGP SIGNATURE-----

canaries/canary-001-2019-q4.txt.asc.j01tz

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEpwlDvRCYWLUDTiOsmWn1cMLvYW8FAl2D2QIACgkQmWn1cMLv
+YW+kZg/+MTV47XCy/oXurasSIp0S1oFtPubEfy/+hXmt9pY6Y36NRwv9KPHvu4hC
+DTiBxeZiWamEjOLqjFMDm/1FiRmJBZ68+Dpks6i5UGwyDNytEW+WjJia5g9hHqk7
+OTz5BJZMIIh4gXrY/iINdnHQeeP3t6IPfiy9kJICukel9J3UI2mVbFLsApQAO4fv
+gXf2BH7ki+um9oWp0ELrIw0GTE2Sp1nC5P70WyacxcRT3t+tqOFDusA2smoYqC+Y
+vRcAF66r3rhotYQoySjlSOccq00r4ISz41+Il24/+/gMDLa8CpKP/bBe0si3Fy9m
+LWq3kfWEkqLRdGPw+Hec5VW3p+1NZfYKL8PmNxE5nythFRXGcnalx0fMPDlNwF9R
+Njou/3E5TY0BoV9nkoE4wtfR9omwJfQot0lwJRd1m6mgISvs8MuqufA2Y51e5jUZ
+r/l1qMADbuuUhmHnmUcNpCWXoIxQKdF8giU+4Nq2UeDUTKIoMJ2qgP0tAQpcw3kK
+UfcRHsmpszpofq8Bbb+6cn6PXXU0o9wB2KzueKPeIMWrnpGhXuqQoS1TtnvmzyKx
+NFcnFfsgH51jaBwBF9jXeV373bJfZo/NYYmuxs0kaZE/ClFVFAsZ36El0Q93DBNM
+lFfMUMCmJ52p1bDOCLIjqeErDCMv+htXyH5RNaYwTyYXo45RkKs=
+=M4+G
+-----END PGP SIGNATURE-----

canaries/canary-001-2019-q4.txt.asc.lehnberg

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE+VlmMakS995PmoQBohBkfpZHeHQFAl2ThB0ACgkQohBkfpZH
+eHSUCg//XYXnIujugGrEmmlLhdO1si9nV2E6kn9ewBYP0JZXpqjfyDRPqVmV1u3c
+8q7RhGAKHu6fCy/kqMyl1vi0FfSHfYlApKyr1pWTXYPEnZyNe8assYU+0t6saP0P
+zzNvS2UyUD/LYjqZdJEQvajovV7Hl0tpx9GDODJvufvAHTO5qUCtK0Tp21N2go3b
+tNr3K1esdMyC6JmrcH2WTL6UFp77VlY6KwhpkVkLxwHHwAwR6JIXFRBz353wPVRc
+y78E4lBXe5rWV3spJm0Eiu1Obi9st5qRoKEsLmIEHFIY/cvt9iy7Xejdn/KD1wcL
+s3aBpyZC0Uds6NBfUUU6B0IYISI3IepM1KEqKkWQj2NSwfnlfk9mioPxlae6NQ8F
+3atTGWBsjbEv7wrwtdfUnTui3uZbFJwhSVErgb7DKzn6N1yyK7V0gYFWW4SaQpvI
+EwvIix0ALcfru5KnQgMVrsqa1xQTiXEtIgRc01dPWW9K+3iM/7S4d8EE2DxPLYuG
+gEflyqr7zCSn/cmeHmdJc3mHSpdpgtXpROgGl4GO1CEbfegIX4eNtl1LOEnqCRu4
+CoJSn4V6dmwNGF+dflAjlTpTUI61F6QS15ct5NSboDAERFTp4Md8xfFsATlylnUg
+Caxbe0uEcbRZ9ZKnpy9LeinDYCuZ9q3rnVpzJzeODTRBaVcN6x4=
+=3j4S
+-----END PGP SIGNATURE-----

keys/hashmap.asc

@@ -0,0 +1,109 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF2Uv+UBEADTqqOs/9IOns9So+kCucnp2Z03brtcnKERrnHNtViqK3O2mo6/
+su+uQEFS0uNtR1pAH/IvTVT8WnNNh+8QxYa0TpiayAqsU8BAR9tf4zKYfJ+x1bVn
+M67RlAc97b1ciq1oKXa2xW9YYbwY/DEsZVocSHIMcMRODcpFxYTHj77tAIAfJfZf
+pwTce8dPAENP0EXPDtR8YnrbEq27RCC2XJ9mvmfB5YlSOJ1WJU98Zieig/XCXYYb
+rfoI6VEm6srSlKBXP2HR9Zaqcxi2QZRuC6+osadHnHxZYFNTc9abQzDCvVtDi9pA
+Rn0LgDIdt2z35rYVA0wCcdf84XvTRuZrRxXFgbTdXo6abjefZ421eC/76b2uQ58Y
+L+Ehl7i8eG0A6mQK0OY9MmZ+pBpzf0i1P90YxCPJDv9KtBuIaTsFmE8pnkVY9dbF
+DL/mNBmxWv95ROQluAD6ZUKpJMhysWkpvl4TwUrINQpmAYD3+VMAgCH5k19vnVxb
+ganby7yKVg6MOexdWcd8n2eamuQxcNpGD6FyeKTyhSnqyDXvlfh89Z1b2YKLC4bL
+X4yRHWVncS9nmORB9SGo/llCLRZ6OFeNc4ZTkNb5uSbHewZXVzbLEACbc4PLXErt
+HxNDhutsJrRKSFnboC2LaDLUqWEK3Pc+8eSL/NhUMEe5NBCAZabFp5hQqwARAQAB
+tCRBbGV4ZXkgTWlyb3Noa2luIDxoYXNobWFwQGdtYWlsLmNvbT6JAlQEEwEKAD4W
+IQQuFR/Uc5Ov3jr9/w1QYkhyWWmFnwUCXZS/5QIbAwUJA8JnAAULCQgHAwUVCgkI
+CwUWAgMBAAIeAQIXgAAKCRBQYkhyWWmFnyH1D/9Yp7HPw1O03vlMuwDguWrRo/X2
+2LQ4KGjOSjvnfMPIh7Xkz3o5+x1pghPov3BD1wBrGkSw4yoNDuXT5NrqBSQgZKuG
+SZgHtoDUTxUL6cc1hcsYUEUc849wZl7Ra0jR5fAqy13KeRSnsQXAH9D4fvBSFAGs
+ewsvFjok5CyNdIxs4/jJbzzAJ2En9B9LhZEBWQDBxH/NXEA8PMuxRoioqhR8sovS
+AdWn1W6PKsiVhQRHwUMr4r8V7gyLnMDx5tftjA18yJCPlaDKLg9gl1CqAhDcme9j
+uQb4C7TxQ0qRGfKllbyw469HpkU8Z2ox1AaYG0GbwFnjsFsqFCqp1v0iMKeTqFGF
+dFBOyqBgDzC5lhzKFwmAGzXUg04st0gmhGJPBmumw4CfS1jA+gh84NqlbhFjbykP
+IXpn602P87CMVPgmFelmxDmPQqAUh9UAr90p0w/jMSvtLgPl5AilsX9WXR89/NRh
+w26IemBFRK4844f616EmYvKpfTpj9QxfPVvoUz61Z8sJUzwixjW5ykaam6vZI8ty
+MYwTmHfJYLiGJKumZcK+cxbtPMW1L8TXzALkzDxuOHpilvMln4tmjDUSwN89PV/F
+5AVrZfX4rC8/zuzdfETEPqFoLBfjVNQR8D0E1xopIkCQ8sQjkMFSE1UCYRCgGomS
+cTP/W7ZJAzxVhOnnILkCDQRdlMQrARAAy6H/LfJ/ZWEnd6QS/VXukWISDuAv+CrC
+SWtc7EP89/RZkkFst4PWwKf3UzQkPL8h36SRfoimStWMw92nsFNz30Xhkiy57RCZ
+4T5puZPqoBNb618qf7KfzJKfOOHERoC8BP4IH65UcFUOqzbx3kWsVtzXhe5AzQwR
+ETWlZ0wfPivPJCFl6BCJhSntmdMRIAGi3EfQ2nr1XdvdmlJVp5AJ0SpQ/TROLAfF
+sjVyYc1VcSSqy5sDuLMgPlaCH3sq0FL2LU77eYpNSJ8LVhUbYgs6ImiWTG8cHncb
+9MSIsmSbMe4NLf1GSCFGRpxSLq9khPhC39b+1h/d4bYhYJ437WQE4aqvRA4/wevU
+dQST3CH4C6Sl9nQgie+dUnkWacsPqMGwCma36LT0yffy9ceJZb4gy5oX6GP59xrx
+0uiKS0GAxfsc2rS5d9VODovJ84hIhEy3RPqBhwnrVVIeBBn6ntKwQzKdtD8wKdwm
+ZpOIQvaIPUwbdT+yjihOMUrB+AIllRQwo35hLzcR3ow9vULXWanFYmzXBhO6s7Cb
+aoHJO4FHabqk0GWIAGtA8EwBlSz7Kd6RNQVKeFuCsgkFxxza88/FfrsNQVQAr9AR
+uHEiEG8NKl3yVocltsxXRAVZs7DSH5r3i6RYnPmUhTBkPQy2+5s/zAfuuUZ1ECUm
+niBYq0Tl7vMAEQEAAYkEcgQYAQoAJhYhBC4VH9Rzk6/eOv3/DVBiSHJZaYWfBQJd
+lMQrAhsCBQkDwmcAAkAJEFBiSHJZaYWfwXQgBBkBCgAdFiEEmisHTjBkkHEpSwnP
+kZyxZfYeCV8FAl2UxCsACgkQkZyxZfYeCV9IqxAAiL8ZzGt69Qz6zwrZFE3Gzp2f
+goRM3LkEpPoq/C7LUhrHu1KNHDo5KGDFMrfJVyZvbUlGX82MAELNNd21JhWGI8rf
+zN5ouO6qi2lgycgOtqLHMMPPX3f7dm4c4CFTjgJPUO1i41IZfT8QdpxjCQBH38XC
+GH4js7IqiPgO3yTG7GBs1lWbbwgjP53+VM2uL8HV0D9cMd9d4lZnTXLFKuGyzRFf
+wr16uptTPooH1nYzG9l4ox8NCu15gcgWs2P8jSZi/udWoIPQpZ9lYqc7CFCXrbTw
+iYasuP7xSv1GLNVPXJxd/TLBNPuh/Ip/f+O7XDxe3xyQ5/cjWmtjEyyCVyUsl+CV
+aF3NCCi5kdQc+rqbttfUjz6EbAUJPnMFkWnK948ldM+rgAGHaO0mSCo0RqVs0jxS
+i2nfJ/25zEk4FoUilN2SMB5c62esL2Bd/e4DpeRTEBDV/DP2BSeKVMc8YhTq7ILu
+Xy1zJelKuladiIHevlbxIB2w75I2No64vKOcyED2ZtrwQFC/zwowBlEpTI8AuXgC
+49yL0n3JoxqJwZtyEzofwKAcfEP2hGHtDV+5bxoNSF7Rcem5gX2Ul/1ceX5lNE2F
+qAYbfVc6kO820eXVjj/f1bC2mSn5cXhpRFhabbYryJjwaGY5Uu5V7Cn4bnEmNpce
+VdaXtvy333vdIjWmmutYmBAArzmmL7sy0tB+E09MpdhUxXGlgQLJOnf6JneV0jS1
+U6YNl+AVQQorg1QWCE1FSPCb9opEE8wM8TRlE8VKcnVJ64rGSQ96JyzT7kW096qb
+DLfcbO7X1EDH8wra9V7GuirT0Hj5TAOgiyCv5Kh4sAGjQQy0EreuDkASmgPGVtwX
+IVcn8cpdfwcs1lJ0BOFgu7rKkeW7MVyLRJj920VkJKZxB5vX1WbOESddimzHGvG3
+Qdi/WewrBG5Ln3E43rEId78qBTJbwQHihgjydQLdPXPQMyS3bPwIu/43JuFDjPR9
+QkYx4PcpHlFraOGzUS0sZR63/07rOc+DynI0XuSi3C2hORAztS3Rry9LwS63Ndc0
+CR5M6qfBZcqtdXXnqnt6kslcRSuE8nkOtBJjKWkI3PbK2LLH1WlqH/EPX/T2UR2c
+yLJl2dPqZns5e/8ePL5PiwFhslwbBqRmjxySkGALJzMwqnJRYZJAK3JWnvEpqXPv
+ItJNKnPQYfhjkapG8Tf/oU7javPQp+9vntM9cwBDsELWfHn2fRwORmcqQVgHK244
+xRbPOn0thb33ePeW+9ou5O1etNsApsAoPHWmIYNA3CS/dQd8a3L8jC7IiI8/GXfs
+LB91FtojnJ2Fh2ZkAQmRuPq2eCSrRjmEfZh1Y3hZi3trBru3CebI0g2WCIiztey8
+Sce5Ag0EXZTEYgEQAJVeWAE2a+Y8MkUvkuU/iawMhvcAKTVYpDDNjLxspoO0t8YS
+HjrcWdq8rTLOsqXZfE9WeGWKyt/vKn1zfRyWrJ7DRX/SKDMsSCJEWP9WbOGl1lES
+RdVLvCKrb8SqLf4qpgtdDf7ewbYhBu/O+7Xp+A8JR9T8on0nybZhszFYURKLqLD1
+n0S5sttfDMe8EaNXvGf8mdsG7bC7Y2UP04Y4okJzOxlzuSr06hu1DMxB62nbqM0m
+jiQVVpDMS8ZuBk7WkUbPvg960ZAaPYXT/PkKP2hLHDZiusgkXVy/ixMYITK8FN7E
+/dOk6dOvpD/gS56rRpVSHrZ2+ri/5JxOCJ4NASycQN/ECcXhfGciZRW1UvChuS6t
+CaALIWvJ8d6kG7o++xamPB5jH/KhZDSjVNUWVcyKVKBBoYQ8ihK7nocxavHUNlOp
+v4Ekv7MLRvKkrQ5EBj16cNq/DXOVZijJbdQdmhAUK56Uj7NdJePoWjMtpbnYKmhs
+3j0KfZB3ntGSaEgG0T/ZJjhI+IKoypvaiIwSvfqXJTiq8q+cewMC++ZRyEpJaVg8
+WYMpd8NLoXV6V/AYdZB++D5QZdMjE/8UrWN0q2PvYpzzP3+XjtUexi2J58b0hYkR
+fs/xe/eZ5XirjOnGgRH5BxyEIAOewRrRpFE1cbENsuDGrWO84PHpTYCIliyDABEB
+AAGJAjwEGAEKACYWIQQuFR/Uc5Ov3jr9/w1QYkhyWWmFnwUCXZTEYgIbDAUJA8Jn
+AAAKCRBQYkhyWWmFn7faEADKn2lEbLXAtgnxRJRQF9A4xE/P4gRunD5yp2oZLPPL
+r70NKYsLYtc6JCHziqI5sat+1krIsuEZXwqqEabeffyRYfNfkTzRQSZsI6xpn1jz
+p4srzgc7BUAiu7gjOFIpdS5lwLIs1V1udEBUhL8AwNxHh7ZPnZinDGgWVFiBdpNH
+Qa4Xy+7IhwL8Nglju3RlMtK1uUGwCorOGGyyvmhdavlYVQyoikbjTb7xzeywmB/M
+dvR8MW1nyiF3tK6pyAUfubZGbblpSrqroRMfvyMD1UR5Luk/PLNvOa8eISOIoC0e
+8jn0mCXdZpk4Eo0Yv0fQJUd+xrNBgz4Qmi046J0TfcdZV+v81JLLL9Bxw3BV6luy
+wJ4GwvSQhl32iW3Odp6G1rrC4ORkK/MEqA9O14XZXqjj4cg53Xy30euHCaaD2mb7
+dNZPCNaD/T2vwprRw0UdCGjP6QM2/sXQq3NjNVNP7Nn8pVpuC88PWTPoR0cBua33
+xux7FSq9kt2x79yl1OvVTo1i+BGfGbN2yPX3YF3exI7k7pSUbNeAAPCnsZalDpDN
+/muiRr/saqKJJnisgDJ6HJKJ3+8lQASM7y1FV59kp3nQXVoAReBCaRZKErqM6F3e
+p+aR5t+B5OEJZDwV9yIHjFMokV0MiaJWMphkuMwEMqvtN+3sBM5SFuPzwkAw93Sy
+WLkCDQRdlMSJARAAzHR7ljpAuzqMGkHESXzJiseb9Jg1Mjskkoh0Mivz4uyXm1zc
+sZinuFKdWRf8GoENKQcmISijeWPGHqKVtpePiKaVOVusvaVx4rUlaylOXlwr5208
+au1n4yzrDE29pb25ktWzY4unVauddM3HAysez+ExGng3sdvAll9IOBFu/RWHgYp7
+8jyiDTb5A9jbreM2xuAoshbxmEuNdWT+J2MCZdjQwgQ1joA3gf56LOPyQdgIEVzR
+RJy5iZSC8JeZlGMTA1QBHf9E1ud5rmkPkkKTR1f9uB6cglt2okDw4g2snEowRMq7
+2BaD/TX/QJuHrzE0yhcLx6+rIESpBYhGEdPNf2KuZsp4sN7/6auRQ/ca4WeG6fZE
+isrGl1vqg07u3pvcJj30sjeud2h21MwmfZC2xQPUNXPvmJM4EIy2bLDWCo7GwveW
+zLQrcAE4RFK4AQvNN5GiZstgMaK6dNz2g1J1s/bT8nyCDcjIKFG++ngsD1V8t+J8
++4lN+8br5hRCxJTLM3Q3CCLn5CmHJn/DImqCBO+08DpDhOmzSgRwBG9F42HEkUP0
+Sqpb4RgFGvuP7u837+3MufnFzTU9o8xiVgPP7UqlcQubksvd00lTIeYBR9B5SfnC
+fsUN4xuPK19gn7G1z4ZReJayMfxpmQWWoaDYtTU5Wo12H94eN2umu+GBV2sAEQEA
+AYkCPAQYAQoAJhYhBC4VH9Rzk6/eOv3/DVBiSHJZaYWfBQJdlMSJAhsgBQkDwmcA
+AAoJEFBiSHJZaYWffwQP/0fSJlUKz1s3p+DouoCNXCa055fdpsFHLAwuWOB8MLx5
+e0n0GtVONzoAkm+5PvgyV+nXMJePLSzR1Hb1hhtFr8eB6ypQ+ROK3jNk7zWI4B1G
+nW3MG/dgivtiarOi4SYO3spS/lm2bTwzsGo12rgqmumB4VrywqSXV7QeePME3Uop
+JxiAv3+fgn7WbYGFs90IST0JMIV27GsfVorl5cLX5ZBfC6W5LG8s2XTnYOFnoY4w
+w9WCA4HzahmdfHFGOvAFqmL6D6VNqqDtciBxUMXoBjPv2RifuI1eL3ZpMszB5Dc5
+sZm30NGKECTXh/+nO8t1DN4XRzROW1OsF3X7bZb7YZD6oK1LGtd4eOOzCVshh1rD
+oJT+3J9D+Oew70+tkUfe57B7b34eIvZu+R/HnWUftKT2OvKoOfGVhiP6BofXfcMZ
+Vs5kSGGF9dYgRBIyteZFJpVhQuq7uZlsYdEqD0d/LnMyZrzC+jzKxKjhdWBo7PYl
+fN6sDjycB7GXamDrvfqi12RG7i92lUNWb7M1LRUzdo/btkbDRAwBvCpiq0H6b+fQ
+9MmtejhKfaaBTGb622taWYO98czWWXk2GHlJ1BamCXfpZBB982NwU8eh8qOt4sv4
+ImmKGPGsnY+qdeT22ondN9ZyVvBAT8PFUEYWEsSWVeeYYdnoa+zQ9XWHf+hQGDnR
+=HyJE
+-----END PGP PUBLIC KEY BLOCK-----