Verifying digital signature using GPG

Some of the key concepts of information security includes confidentiality, integrity, availability, authenticity and non-repudiation. [1] Digital signature is an efficient way maintaining integrity, authenticity and non-repudiation.
A digitally signed message ensures that the message is sent by a known sender(authenticity), without any alternation(integrity) and the sender cannot deny that he send the message(non-repudiation).

This post is about how to verify digital signatures by checking the signature of linux kernel using GPG (GNU Privacy Guard). Follow the steps for the verification.

1. Download linux kernel

$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz

2. Download the signature

$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign

3. The signature is for .tar and thus remove the .xz from linux kernal by uncompressing it.

$ unxz linux-3.1.5.tar.xz

4. Now, verify the .tar file using the signature using the gpg command.

$ gpg --verify linux-3.1.5.tar.sign
gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E
gpg: Can't check signature: public key not found

5. Inorder to verify the signature, download the public key from the PGP server

</span>
$ gpg --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server subkeys.pgp.net
gpg: key 6092693E: public key "Greg Kroah-Hartman
     (Linux kernel stable release signing key) <greg@kroah.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

7. Rerun the previous command to run

$ gpg --verify linux-3.1.5.tar.sign
gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA
key ID 6092693E gpg: Good signature from "Greg Kroah-Hartman
(Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint:
647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E

This shows that the downloaded version of the kernel is untrusted. There is no indication that the signature belongs to the owner. This checking is thus very essential so that you don’t end up using the wrong downloads. It is always important to do signature verification before you start using anything. Keep yourself safe in the Internet.

[1]. http://en.wikipedia.org/wiki/Information_security
[2]. http://www.kernel.org/signature.html#using-gnupg-to-verify-kernel-signatures

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s