One of my friends recently asked me how to verify a signature that is distributed with an opensource application. Since I didn’t have a machine handy to show him, I thought I would jot this down for him in my blog. The first step in verifying a signature requires locating the public key of the [...]
I recently downloaded the samhain file integrity verification suite, and wanted to verify the authenticity of the package. The samhain developers distribute samhain as tar archive, which includes the source code and a detached ASCII signature file:
$ /usr/sfw/bin/gtar tvfz samhain-current.tar.gz
-rw-r–r– 1000/100 1302539 2005-09-22 16:05:35 samhain-2.0.10a.tar.gz
-rw-r–r– 1000/100 [...]
The GNU privacy guard provides a command line tool (gpg) to encrypt data and manage digital signatures. GPG supports the OpenPGP standard, and provides easy access to a variety of key distribution servers. To view the full list of options available to gpg, you can run gpg with the “-h” option:
$ gpg -h | head [...]
