Verifying digital signatures

I recently downloaded the samhain file integrity verification suite, and wanted to verify the authenticity of the package. The samhain developers distribute samhain as tar archive, which includes the source code and a detached ASCII signature file:

$ /usr/sfw/bin/gtar tvfz samhain-current.tar.gz

-rw-r--r-- 1000/100    1302539 2005-09-22 16:05:35 samhain-2.0.10a.tar.gz
-rw-r--r-- 1000/100        189 2005-09-22 16:06:29 samhain-2.0.10a.tar.gz.asc

To verify the source code that is contained in the file samhain-2.0.10a.tar.gz using the detached ASCII signature stored in the file samhain-2.0.10a.tar.gz.asc, I downloaded the samhain developers public key, and imported it into my keychain with the gpg “–import” option:

$ gpg –import sh.pub

gpg: key 0F571F6C: public key "Rainer Wichmann " imported
gpg: Total number processed: 1
gpg:               imported: 1

Once the public key was imported, I used gpg’s “–fingerprint” option to extract a digital fingerprint from each public key:

$ gpg –fingerprint

/home/matty/.gnupg/pubring.gpg
------------------------------
pub  1024D/0F571F6C 1999-10-31 Rainer Wichmann 
     Key fingerprint = EF6C EF54 701A 0AFD B86A  F4C3 1AAD 26C8 0F57 1F6C
uid                            Rainer Wichmann 
sub  1024g/9DACAC30 1999-10-31

Once I had the fingerprint and the keyid, I verified both pieces of information with a trusted source. After I verified the authenticity of the key I imported, I used gpg’s “–verify” option along with the signature file (an encrypted hash) to verify the files contents with the key I just imported:

$ gpg –verify samhain-2.0.10a.tar.gz.asc samhain-2.0.10a.tar.gz

gpg: Signature made Thu 22 Sep 2005 04:06:29 PM EDT using DSA key ID 0F571F6C
gpg: Good signature from "Rainer Wichmann "
gpg:                 aka "Rainer Wichmann "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6C EF54 701A 0AFD B86A  F4C3 1AAD 26C8 0F57 1F6C

Verifying signatures can help ensure that the source code you download hasn’t been replaced with a malicious variant. The gpg(1) manual contains lots of information on signatures, and provides a detailed breakdown of the available gpg options.

Leave a Reply

Your email address will not be published. Required fields are marked *