Security + Canary – Spartacus Books

To disclose a security issue please contact info@spartacusbooks.net (and cc security@spartacusbooks.net).

We strongly prefer you use PGP email sent encrypted with our public key (fingerprint = 25C3 A3D3 5DD5 FB19 CBC8 1704 EDE2 4E51 2DE5 47FF).

Canary

See https://riseup.net/en/canary for explanation on what a canary is. The below canary is signed with our signing subkey (fingerprint = 263F 6812 3BA2 CC67 F18A 1CB3 AC78 BC6C 7875 F028). If our canary is out of date please start by emailing us (from a safe email please!), we are sometimes forgetful, if you receive no response with a week, you can assume we are unable to reply for legal reasons.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Spartacus Books positively confirms that to the best of our knowledge the integrity of our systems are sound. We have not disclosed any private information, and we have not been forced to modify our system to allow access or information leakage to a third party. We have not been forced to install equipment (eg: recording/monitoring devices) our store that could impact the privacy of those who use the space. 

This canary will be signed every year on the following dates:

* Jan 1
* June 1

We will include a link to a recent news article [1] in each update to establish that the signature was not pre-generated. 

Signed on Jan 4, 2025 by the Spartacus collective.

[1] https://www.cbc.ca/news/canada/toronto/ontario-government-rebate-cheques-expected-january-february-1.7422808
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJj9oEjuizGfxihyzrHi8bHh18CgFAmd52KkACgkQrHi8bHh1
8CjCjg//aIejWJwdc/Sf6sK5J3sVIIv0VdEILP9wniQV8tJmAS1Vumg+utuFUgQ+
MJS1Z9obbWL9wMWjCCMV9nrUnJ73ASnsrI2njMM5dAqkxSkWPnAX/Vpa/+wQxYe3
/fuBptRFJxi8n6ocVZGz7f1mrsfBMEbovTMovtYOA/9N8/vzQgwiw5oR+q9JMuGd
qKwU2qWXItZu81t6xrR8j5jE6Qg4bP5puGH/FduKCEGi7+NtBqqqahBfLTa4ZBuU
fwjF4moXxctDAJQztrYOTErxq6ttlKXxY1oLu1aZF+WvaSkhjCQIqB3fL8izA0ER
Cn8DdmNiIAei2pyhhzC6vjeDAT863zxOtzMHoF0iXMCmXYQOmunFn6yIxFX42TBo
LGueff4iRx6DWcddBM8peipCr/pQNzSt/WYH4aG29WVQoWZ+1szoQ8v5PMfEOdMT
uqvLm3ejEz5RRp5QZrGT0nFB8e+rmlcsWzh8/k57ZEhmliHjoflci5CZkmhMpqsV
JbqaNejtMp/BqxShEPmYf9rsuWgWJ5cNedB6cmRy/luc4Wbk7KoCJRx4PbKrcDm/
THNbxQIwmxUKIQvJioEQAybRyUM8mBwpJpSUZ6u5/MUOBPpnM7sv3T582VLzzLuA
MIEhS6BH8BZAuJXJk4brDCf+o7izr6nh/quGbnxiMNC1GoBHogA=
=hBVb
-----END PGP SIGNATURE-----

To verify our canary you need to do the following

Receive the key into GPG: gpg --keyserver keys.openpgp.org --recv-key 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
Confirm that the fingerprint matches, the output should be 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF: gpg --fingerprint 25C3A3D35DD5FB19CBC81704EDE24E512DE547FF
Verify the signature: gpg --auto-key-retrieve --verify canary.txt

There is no guarantee that this website hasn’t been tampered with, so the above key should not be automatically trusted. For better assurance that our key is correct you can come in to our store and we have a printed copy of our fingerprint posted on top of the store desk.