You now need to fetch the public key of the person who signed the Apache packages you downloaded. From the page http://httpd.apache.org/download.cgi on the web site you can read:
If you want to check httpd-2.0.48.tar.gz’s signature, you will need to put Sander Striker’s public key in your public key ring.
You can obtain his pubic key in two ways. The first is by downloading the KEYS file directly from Apache’s web site (http://www.apache.org/dist/httpd/KEYS). The file contains the public keys of all Apache’s developers. To import it, simply run gnupg --import KEYS (assuming that the file KEYS is in your working directory):
[merc@localhost merc]$ gpg --import KEYS
You can also download Sander’s key by downloading it from a public key server using the following command:
[merc@merc merc]$ gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
You now have Sander’s public key in your key ring. This means that you can check if a message or a file was actually signed by him, by decrypting his signature (using his public key) and comparing the result with the hash value of the message you have received.
Verifying the Downloaded Package
You are now ready to check the package you downloaded. To do this, you will need the signature file from the Apache web site. Again, it is crucial to get the signature file (which is very small) from the main site, rather than from one of its mirrors. For example, if you downloaded version 2.0.48 of Apache, you will need the file httpd-2.0.48.tar.gz.asc.
Now, run the command gpg --verify, providing both the signature file and the downloaded file as parameters:
[merc@merc merc]$ gpg --verify httpd-2.0.48.tar.gz.asc httpd-2.0.48.tar.gz
The signature is correct (“Good signature from ...”). However, GnuPG warns you not to trust the person, because someone hasn’t signed the key with a trusted public key.
In GnuPG, a trusted public key is one that has been signed (and therefore verified) by another trusted key. As soon as you install GnuPG, the only trusted public key is your own. This means that you are able to sign (and therefore verify) Sander’s signature. The question is: what makes you think that what you downloaded really is his signature? A cracker might have created a public key, called him or herself “Sander Striker,” and signed the files you are about to use.
To check the authenticity of a public key, you can check the key’s fingerprint. The GNU Privacy Handbook states:
A key’s fingerprint is verified with the key’s owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key’s true owner.
It is up to you to decide what you should do to check the authenticity of the fingerprint, as long as you can make absolutely sure that you are communicating with the real person. This could be a little hard: Sander Striker would have very little time left to develop Apache if he had to meet in person with every single system administrator who wants to check his or her copy of Apache.
The good news is that if you imported the KEYS file from Apache’s main site, you will also have a collection of public keys owned by Apache’s developers, who in turn signed Sander’s public key after meeting him. This means that if you verify any one of them, your GnuPG will automatically trust Sander’s public key as well. You can obtain a list of developers who signed Sander’s public key by using this command:
[merc@merc merc]$ gpg --edit-key Sander
In this case, you will pretend that you talked to or met Sander Striker in person. You can therefore sign his signature with your public key:
pub 1024D/DE885DD3 created: 2002-04-10 expires: never trust: -/-
How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0".
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.
Your selection? 0
Really sign? y
You need a passphrase to unlock the secret key for
All done! You now have set GnuPG so that it trusts Sander’s signature.
blog comments powered by Disqus