Some of the key concepts of information security includes confidentiality, integrity, availability, authenticity and non-repudiation.  Digital signature is an efficient way maintaining integrity, authenticity and non-repudiation.
A digitally signed message ensures that the message is sent by a known sender(authenticity), without any alternation(integrity) and the sender cannot deny that he send the message(non-repudiation).
This post is about how to verify digital signatures by checking the signature of linux kernel using GPG (GNU Privacy Guard). Follow the steps for the verification.
1. Download linux kernel
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz
2. Download the signature
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign
3. The signature is for .tar and thus remove the .xz from linux kernal by uncompressing it.
$ unxz linux-3.1.5.tar.xz
4. Now, verify the .tar file using the signature using the gpg command.
$ gpg --verify linux-3.1.5.tar.sign gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E gpg: Can't check signature: public key not found
5. Inorder to verify the signature, download the public key from the PGP server
</span> $ gpg --recv-keys 6092693E gpg: requesting key 6092693E from hkp server subkeys.pgp.net gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <email@example.com>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
7. Rerun the previous command to run
$ gpg --verify linux-3.1.5.tar.sign gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
This shows that the downloaded version of the kernel is untrusted. There is no indication that the signature belongs to the owner. This checking is thus very essential so that you don’t end up using the wrong downloads. It is always important to do signature verification before you start using anything. Keep yourself safe in the Internet.