I recently downloaded the samhain file integrity verification suite, and wanted to verify the authenticity of the package. The samhain developers distribute samhain as tar archive, which includes the source code and a detached ASCII signature file:
$ /usr/sfw/bin/gtar tvfz samhain-current.tar.gz
-rw-r--r-- 1000/100 1302539 2005-09-22 16:05:35 samhain-2.0.10a.tar.gz
-rw-r--r-- 1000/100 189 2005-09-22 16:06:29 samhain-2.0.10a.tar.gz.asc
To verify the source code that is contained in the file samhain-2.0.10a.tar.gz using the detached ASCII signature stored in the file samhain-2.0.10a.tar.gz.asc, I downloaded the samhain developers public key, and imported it into my keychain with the gpg “–import” option:
$ gpg --import sh.pub
gpg: key 0F571F6C: public key "Rainer Wichmann " imported
gpg: Total number processed: 1
gpg: imported: 1
Once the public key was imported, I used gpg’s “–fingerprint” option to extract a digital fingerprint from each public key:
$ gpg --fingerprint
/home/matty/.gnupg/pubring.gpg
------------------------------
pub 1024D/0F571F6C 1999-10-31 Rainer Wichmann
Key fingerprint = EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
uid Rainer Wichmann
sub 1024g/9DACAC30 1999-10-31
Once I had the fingerprint and the keyid, I verified both pieces of information with a trusted source. After I verified the authenticity of the key I imported, I used gpg’s “–verify” option along with the signature file (an encrypted hash) to verify the files contents with the key I just imported:
$ gpg --verify samhain-2.0.10a.tar.gz.asc samhain-2.0.10a.tar.gz
gpg: Signature made Thu 22 Sep 2005 04:06:29 PM EDT using DSA key ID 0F571F6C
gpg: Good signature from "Rainer Wichmann "
gpg: aka "Rainer Wichmann "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
Verifying signatures can help ensure that the source code you download hasn’t been replaced with a malicious variant. The gpg(1) manual contains lots of information on signatures, and provides a detailed breakdown of the available gpg options.