UNIX / Linux: PGP TarBall File Signature Keys Verification

by on April 14, 2010 · 3 comments· LAST UPDATED June 4, 2012

in , ,

I've downloaded open source software from the Internet. The download server also provided me the PGP signature file. How do I verify that signature (file.tar.gz.asc) file against downloaded software release (software.version.tar.gz) under Linux / UNIX operating systems?

For all FOSS based project you should download the PGP signatures and MD5 hashes and verify them before using them. Linux and many other UNIX like operating systems can use The GNU Privacy Guard. However, any OpenPGP-compliant program should work successfully with software. The following instuctions assumes that you are using the GNU Privacy Guard.

Download Tar Ball

For example, purpose you will download nginx web server and verify the same with PGP. Use the wget command to grab latest version:
$ cd /tmp
$ wget http://nginx.org/download/nginx-0.8.35.tar.gz
$ wget http://nginx.org/download/nginx-0.8.35.tar.gz.asc

List files, enter:
$ ls -l
Sample outputs:

total 620
-rw-r--r-- 1 vivek vivek 622870 2010-04-01 21:14 nginx-0.8.35.tar.gz
-rw-r--r-- 1 vivek vivek    196 2010-04-01 21:18 nginx-0.8.35.tar.gz.asc

Checking Signatures

Type the following command
$ gpg nginx-0.8.35.tar.gz.asc
Sample outputs:

gpg: Signature made Thursday 01 April 2010 09:18:53 PM IST using DSA key ID A524C53E
gpg: Can't check signature: public key not found

However, gpg failed to check signature as we don't have authors public key A524C53E in our local Linux server or workstation. You need to grab the public key from a key server (such as pgpkeys.mit.edu) or download it from the authors web site.

Command To Grab The Public Key From A Key Server

The syntax is as follows:

gpg --keyserver pgpkeys.mit.edu --recv-key <publicKey>

Try to grab the public key A524C53E, enter:
$ gpg --keyserver pgpkeys.mit.edu --recv-key A524C53E
Now, try to verify the software signature again:
$ gpg nginx-0.8.35.tar.gz.asc

Command To Grab The Public Key From A Web Server

Again, use the wget command to grab the public key from A web server:
$ wget http://sysoev.ru/pgp.txt
Import the key from pgp.txt file, enter:
$ gpg --import pgp.txt
Sample outputs:

gpg: key A524C53E: public key "Igor Sysoev " imported
gpg: Total number processed: 1
gpg:               imported: 1

Now, try to verify the software signature again:
$ gpg nginx-0.8.35.tar.gz.asc
Sample outputs:

gpg: Signature made Thursday 01 April 2010 09:18:53 PM IST using DSA key ID A524C53E
gpg: Good signature from "Igor Sysoev "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4C2C 85E7 05DC 7308 3399  0C38 A937 6139 A524 C53E
ample outputs:

The signature is good, but you don't trust this key. In other words the file has not been tampered. However, you need to additionally verify that key A524C53E was created by the real Igor Sysoev <igor@sysoev.ru> and not by someone else.

How Do I Build Trust?

This is little complicated as you never met Igor Sysoev face to face. To vouch for the key's authenticity you can do so by signing it with your own private key and mailing it back to its owner. This is simple and easy way to build a trust relationship. Another quick option is to use the following command:

gpg --edit-key {user@example.com} trust

Type the following command
$ gpg --edit-key igor@sysoev.ru trust
Sample outputs:

gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub  1024D/A524C53E  created: 2009-09-04  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/58AC2CDD  created: 2009-09-04  expires: never       usage: E
[ unknown] (1). Igor Sysoev 
pub  1024D/A524C53E  created: 2009-09-04  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/58AC2CDD  created: 2009-09-04  expires: never       usage: E
[ unknown] (1). Igor Sysoev 
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub  1024D/A524C53E  created: 2009-09-04  expires: never       usage: SC
                     trust: ultimate      validity: unknown
sub  2048g/58AC2CDD  created: 2009-09-04  expires: never       usage: E
[ unknown] (1). Igor Sysoev 
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> q

Now, try to verify the software signature again:
$ gpg nginx-0.8.35.tar.gz.asc
Sample outputs:

gpg: Signature made Thursday 01 April 2010 09:18:53 PM IST using DSA key ID A524C53E
gpg: Good signature from "Igor Sysoev "

Since, you have entered the web of trust, you should not see any warning message.

Reference's:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Philippe Petrinko April 14, 2010 at 1:00 pm

Thanks Vivek, I appreciate it.

Reply

2 slava April 22, 2011 at 7:34 am

Thank you very match !
I had to check nginx.

Reply

3 person May 25, 2014 at 4:56 pm

The last step where you type
gpg –edit-key igor@sysoev.ru trust
and then enter 5 to indicate ultimate trust is garbage in, garbage out. A user should *NEVER* do this command not understanding the effects and should never do so if they don’t completely trust this person, Sure it will get rid of the warning message, but the warning message is doing what it should. At the same time, it does still check that the sig is good even with ther warning message.

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: