Howto: Verify integrity of the tar balls or source code

Posted on in Categories Linux, Security, Tips, UNIX last updated December 2, 2005

Verifying integrity of the tar balls or source code is an essential step, which makes sure that you are going to use guanine software (also know as checksum). Every Linux or UNIX admin should be aware of this test. However, what is a checksum? A checksum is a form of a very simple measure for protecting the integrity of data from both hackers (read as crackers) and data transmission error over network i.e. make sure no one has tampered with a source file (see checksum @ wikipedia) For file verification, use any one of the following command:

  1. sha1sum – check SHA1 (160-bit) checksums
  2. md5sum – check MD5 (128-bit) checksums
  3. gpg – Use to validate a GPG certificate

Therefore, whenever you visit source-code download site, you will come across md5sum, sha1sum, or gpg signature keys listed. Following is general syntax to verify keys with different commands:

  • sha1sum {source-code-file-name}
  • md5sum {source-code-file-name}
  • gpg –verify {source-code-file-name.sig} {source-code-file-name}

Examples ~ sure, without examples no one able to grasp the idea:

Howto: Verify integrity of the tar balls with gpg command

Posted on in Categories Howto, Linux, Security, Sys admin, Tips, UNIX last updated December 2, 2005

GnuPG is a complete and free replacement for PGP. You will use gpg command to validate a GPG certificate. For example, purpose download Apahce-web server tar ball. Visit Apache web site to download latest version of Apache. As usual, use wget command:

$ wget

Next download gpg key listed next to download link:
$ wget

How do I verify integrity of the tar ball?

Use gpg command as follows:
$ gpg httpd-2.0.55.tar.gz.asc

gpg: Signature made Monday 10 October 2005 07:05:15 AM IST using RSA key ID 10FDE075
gpg: Can't check signature: public key not found

You will see an error message ‘Can’t check signature: public key not found’. It means you need to get the key (called 10FDE075) and install it in your public keyring. You can download key from free public key server such as

$ gpg --keyserver --recv-key 10FDE075

gpg: requesting key 10FDE075 from hkp server
gpg: key 10FDE075: duplicated user ID detected - merged
gpg: key 10FDE075: public key "[email protected]" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Once the key is installed, use the following command to check the certificate of a source code file/tar ball:
$ gpg --fingerprint 10FDE075
$ gpg --verify httpd-2.0.55.tar.gz.asc httpd-2.0.55.tar.gz

Online References: