Classic Shell Scripting - Arnold Robbins [164]
$ ls -l coreutils-5.0.tar*
Show the distribution files
-rw-rw-r-- 1 jones devel 6020616 Apr 2 2003 coreutils-5.0.tar.gz
-rw-rw-r-- 1 jones devel 65 Apr 2 2003 coreutils-5.0.tar.gz.sig
$ gpg coreutils-5.0.tar.gz.sig
Try to verify the signature
gpg: Signature made Wed Apr 2 14:26:58 2003 MST using DSA key ID D333CBA1
gpg: Can't check signature: public key not found
The signature verification failed because we have not added the signer's public key to the gpg key ring. If we knew who signed the file, then we might be able to find the public key at the signer's personal web site or ask the signer for a copy via email. However, the only information that we have here is the key ID. Fortunately, people who use digital signatures generally register their public keys with a third-party public-key server, and that registration is automatically shared with other key servers. Some of the major ones are listed in Table 10-2, and more can be found by web search engines. Replicated copies of public keys enhance security: if one key server is unavailable or compromised, you can easily switch to another one.
Table 10-2. Major public-key servers
Country
URL
Belgium
http://www.keyserver.net/en/
Germany
http://math-www.uni-paderborn.de/pgp/
Germany
http://pgp.zdv.uni-mainz.de/keyserver/pks-commands.html#extract
UK
http://www.cl.cam.ac.uk/PGP/pks-commands.html#extract
USA
http://pgp.mit.edu/
Use a web browser to visit the key server, type the key ID 0xD333CBA1 into a search box (the leading 0x is mandatory), and get a report like this:
Public Key Server -- Index ''0xD333CBA1 ''
Type bits /keyID Date User ID
pub 1024D/D333CBA1 1999/09/26 Jim Meyering ... Follow the link on the key ID (shown in the preceding code snippet in bold) to get a web page that looks like this: Public Key Server -- Get ''0xD333CBA1 '' -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Key Server 0.9.6 mQGiBDftyYoRBACvICTt5AWe7kdbRtJ37IZ+ED5tBA/IbISfqUPO+HmL/J9JSfkV QHbdQR5dj5mrU6BY5YOY7L4KOS6lH3AgvsZ/NhkDBraBPgnMkpDqFb7z4keCIebb ... -----END PGP PUBLIC KEY BLOCK----- Finally, save the key text in a temporary file—say, temp.key—and add it to your key ring: $ gpg --import temp.key Add the public key to your key ring gpg: key D333CBA1: public key "Jim Meyering gpg: Total number processed: 1 gpg: imported: 1 Now you can verify the signature successfully: $ gpg coreutils-5.0.tar.gz.sig Verify the digital signature gpg: Signature made Wed Apr 2 14:26:58 2003 MST using DSA key ID D333CBA1 gpg: Good signature from "Jim Meyering gpg: aka "Jim Meyering gpg: aka "Jim Meyering gpg: aka "Jim Meyering gpg: aka "Jim Meyering gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: next trustdb check due at ????-??-?? gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D70D 9D25 AF38 37A5 909A 4683 FDD2 DEAC D333 CBA1 The warning in the successful verification simply means that you have not certified that the signer's key really does belong to him. Unless you personally know the signer and have good reason to believe that the key is valid, you should not certify keys. An attacker could modify and repackage the distribution, but without knowledge of the signer's (secret) private key, the digital signature cannot be reproduced, and gpg detects the attack: $ ls -l coreutils-5.0.tar.gz List the maliciously modified archive file -rw-rw-r-- 1 jones devel 6074205 Apr 2 2003 coreutils-5.0.tar.gz $ gpg coreutils-5.0.tar.gz.sig Try to