GnuPG and Apache Signatures - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:

By: Apress Publishing

Poor Best

Rating:

/ 31

August 17, 2004

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

You now need to fetch the public key of the person who signed the Apache packages you downloaded. From the page http://httpd.apache.org/download.cgi on the web site you can read:

httpd-2.0.48.tar.gz is signed by Sander Striker DE885DD3.
httpd-2.0.48-win32-src.zip is signed by William Rowe 10FDE075.
httpd-1.3.28.tar.gz is signed by Jim Jagielski 08C975E5.

If you want to check httpd-2.0.48.tar.gz’s signature, you will need to put Sander Striker’s public key in your public key ring.

You can obtain his pubic key in two ways. The first is by downloading the KEYS file directly from Apache’s web site (http://www.apache.org/dist/httpd/KEYS). The file contains the public keys of all Apache’s developers. To import it, simply run gnupg --import KEYS (assuming that the file KEYS is in your working directory):

[merc@localhost merc]$ gpg --import KEYS
gpg: key 2719AF35: public key imported gpg: /home/merc/.gnupg/trustdb.gpg: trustdb created
[...]
gpg: key DE885DD3: public key imported
gpg: key E005C9CB: public key imported
gpg: Total number processed: 41
gpg:           w/o user IDs: 3
gpg:               imported: 37 (RSA: 22)
gpg:              unchanged: 1
[merc@localhost merc]$

You can also download Sander’s key by downloading it from a public key server using the following command:

[merc@merc merc]$ gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: key DE885DD3: "Sander Striker <striker@apache.org>" 59 new signatures
gpg: Total number processed: 1
gpg: new signatures: 59
[merc@merc merc]$

You now have Sander’s public key in your key ring. This means that you can check if a message or a file was actually signed by him, by decrypting his signature (using his public key) and comparing the result with the hash value of the message you have received.

Verifying the Downloaded Package

You are now ready to check the package you downloaded. To do this, you will need the signature file from the Apache web site. Again, it is crucial to get the signature file (which is very small) from the main site, rather than from one of its mirrors. For example, if you downloaded version 2.0.48 of Apache, you will need the file httpd-2.0.48.tar.gz.asc.

Now, run the command gpg --verify, providing both the signature file and the downloaded file as parameters:

[merc@merc merc]$ gpg --verify httpd-2.0.48.tar.gz.asc httpd-2.0.48.tar.gz
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Mon 07 Jul 2003 22:56:49 WST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker <striker@apache.org>"
gpg: aka "Sander Striker <striker@striker.nl>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
[merc@merc merc]$

The signature is correct (“Good signature from ...”). However, GnuPG warns you not to trust the person, because someone hasn’t signed the key with a trusted public key.

In GnuPG, a trusted public key is one that has been signed (and therefore verified) by another trusted key. As soon as you install GnuPG, the only trusted public key is your own. This means that you are able to sign (and therefore verify) Sander’s signature. The question is: what makes you think that what you downloaded really is his signature? A cracker might have created a public key, called him or herself “Sander Striker,” and signed the files you are about to use.

To check the authenticity of a public key, you can check the key’s fingerprint. The GNU Privacy Handbook states:

A key’s fingerprint is verified with the key’s owner. This may be done in person or over the phone or through any other means as long as you can guarantee that you are communicating with the key’s true owner.

It is up to you to decide what you should do to check the authenticity of the fingerprint, as long as you can make absolutely sure that you are communicating with the real person. This could be a little hard: Sander Striker would have very little time left to develop Apache if he had to meet in person with every single system administrator who wants to check his or her copy of Apache.

The good news is that if you imported the KEYS file from Apache’s main site, you will also have a collection of public keys owned by Apache’s developers, who in turn signed Sander’s public key after meeting him. This means that if you verify any one of them, your GnuPG will automatically trust Sander’s public key as well. You can obtain a list of developers who signed Sander’s public key by using this command:

[merc@merc merc]$ gpg --edit-key Sander
[...]
pub 1024D/DE885DD3 created: 2002-04-10 expires: never trust: -/-
sub 2048g/532D14CA created: 2002-04-10 expires: never
(1) Sander Striker <striker@striker.nl>>
(2). Sander Striker <striker@apache.org>
Command> check
uid Sander Striker <striker@striker.nl>
sig!3    DE885DD3 2002-04-10 [self-signature]
[...]
sig!3    F88341D9 2002-11-18 Lars Eilebrecht <lars@eilebrecht.org>
sig!3    49A563D9 2002-11-23 Mark Cox <mjc@redhat.com>
sig!3    E04F9A89 2002-11-18 Roy T. Fielding <fielding@apache.org>
sig!3    08C975E5 2002-11-21 Jim Jagielski <jim@apache.org>
39 signatures not checked due to missing keys
Command>

In this case, you will pretend that you talked to or met Sander Striker in person. You can therefore sign his signature with your public key:

Command> sign
Really sign all user IDs? y

pub 1024D/DE885DD3 created: 2002-04-10 expires: never trust: -/-
Primary key fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3

Sander Striker <striker@striker.nl>
Sander Striker <striker@striker.org>

How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0".

(0) I will not answer. (default)
(1) I have not checked at all.
(2) I have done casual checking.
(3) I have done very careful checking.

Your selection? 0
Are you really sure that you want to sign this key
with your key: "Tony Mobily (Myself) <merc@mobily.com>"

Really sign? y

You need a passphrase to unlock the secret key for
user: "Tony Mobily (Myself) <merc@mobily.com>"
1024-bit DSA key, ID B763CD69, created 2003-08-03

Command> q
Save changes? y
[merc@merc merc]$

All done! You now have set GnuPG so that it trusts Sander’s signature.

NOTE In a normal situation, most people would just sign Sander’s public key, trusting that the KEYS file is original, or checking his key’s fingerprints on newsgroups or mailing lists. If security is an issue, you could contact one of the developers who verified Sander’s public key’s fingerprint by e-mail (sent to the developer's official e-mail address) or by phone (if that’s absolutely necessary). Finally, if security is a real issue (for example, if it’s a bank’s web site), they you may decide that you need to meet one of the developers in person. (I imagine this would rarely be necessary.)

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.