Habitually checking the integrity of archives you download from the Internet is a good idea. The Apache distribution system works through mirrors. Someone may decide to compromise a mirror and replace the genuine archive with a trojaned version (a version that feels like the original but is modified in some way, for example, programmed to allow the attacker unlimited access to the web server). You will go through a lot of trouble to secure your Apache installation, and it would be a shame to start with a compromised version.
If you take a closer look at the Apache download page, you will discover that though archive links point to mirrors, archive signature links always point to the main Apache web site.
One way to check the integrity is to calculate the MD5 sum of the archive and to compare it with the sum in the signature file. An MD5 sum is an example of a hash function, also known as one-way encryption (see Chapter 4 for further information). The basic idea is that, given data (such as a binary file), a hash function produces seemingly random output. However, the output is always the same when the input is the same, and it is not possible to reconstruct the input given the output. In the example below, the first command calculates the MD5 sum of the archive that was downloaded, and the second command downloads and displays the contents of the MD5 sum from the main Apache web site. You can see the sums are identical, which means the archive is genuine:
Using MD5 sums to verify archive integrity can be circumvented if an intruder compromises the main distribution site. He will be able to replace the archives and the signature files, making the changes undetectable.
A more robust, but also a more complex approach is to use public-key cryptography (described in detail in Chapter 4) for integrity validation. In this approach, Apache developers use their cryptographic keys to sign the distribution digitally. This can be done with the help of GnuPG, which is installed on most Unix systems by default. First, download the PGP signature for the appropriate archive, such as in this example:
Attempting to verify the signature at this point will result in GnuPG complaining about not having the appropriate key to verify the signature:
$ gpg httpd-2.0.50.tar.gz.asc gpg: Signature made Tue 29 Jun 2004 01:14:14 AM BST using DSA key ID DE885DD3 gpg: Can't check signature: public key not found
GnuPG gives out the unique key ID (DE885DD3), which can be used to fetch the key from one of the key servers (for example,pgpkeys.mit.edu):
$ gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3 gpg: /home/ivanr/.gnupg/trustdb.gpg: trustdb created gpg: key DE885DD3: public key "Sander Striker <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1
This time, an attempt to check the signature gives satisfactory results:
$ gpg httpd-2.0.50.tar.gz.asc gpg: Signature made Tue 29 Jun 2004 01:14:14 AM BST using DSA key ID DE885DD3 gpg: Good signature from "Sander Striker <email@example.com>" gpg: aka "Sander Striker <firstname.lastname@example.org>" gpg: aka "Sander Striker <email@example.com>" gpg: aka "Sander Striker <firstname.lastname@example.org>" gpg: checking the trustdb gpg: no ultimately trusted keys found Primary key fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
At this point, we can be confident the archive is genuine. On the Apache web site, a file contains the public keys of all Apache developers (http://www.apache.org/dist/ httpd/KEYS). You can use it to import all their keys at once but I prefer to download keys from a third-party key server. You should ignore the suspicious looking message (“no ultimately trusted keys found”) for the time being. It is related to the concept of web of trust (covered in Chapter 4).
Sometimes, the best version of Apache is not contained in the most recent version archive. When a serious bug or a security problem is discovered, Apache developers will fix it quickly. But getting a new revision of the software release takes time because of the additional full testing overhead required. Sometimes, a problem is not considered serious enough to warrant an early next release. In such cases, source code patches are made available for download at http://www.apache.org/dist/httpd/patches/. Therefore, the complete source code download procedure consists of downloading the latest official release followed by a check for and possible download of optional patches.