Classic Shell Scripting - Arnold Robbins [165]
gpg: Signature made Wed Apr 2 14:26:58 2003 MST using DSA key ID D333CBA1
gpg: BAD signature from "Jim Meyering Digital signatures ensure that the file at your site matches the one prepared and signed at the remote site. Of course, an undetected attack on the signer's system before the software was packaged for distribution would not be revealed when the signature was verified. Security is never perfect. Y ou do not need to use a web browser to retrieve a public key: the GNU wget utility[15] can do the job once you figure out the syntax of the URL expected by a particular key server. The script in Example 10-3 makes retrieval easy and provides a reminder of how to add the public keys to your key rings. Example 10-3. Automating public-key retrieval #! /bin/sh - # Get one or more PGP/GPG keys from a key server. # # Usage: # getpubkey key-ID-1 key-ID-2 ... IFS=' ' PATH=/usr/local/bin:/usr/bin:/bin export PATH for f in "$@" do g=0x`echo $f | sed -e s'/^0x//'` Ensure 0x prefix tmpfile=/tmp/pgp-$g.tmp.$$ wget -q -O - "http://pgp.mit.edu:11371/pks/lookup?op=get&search=$g" > $tmpfile ls -l $tmpfile echo "Try: pgp -ka $tmpfile" echo " pgpgpg -ka $tmpfile" echo " rm -f $tmpfile" done Here is an example of its use: $ getpubkey D333CBA1 Get the public key for key ID D333CBA1 -rw-rw-r-- 1 jones jones 4567 Apr 6 07:26 /tmp/pgp-0xD333CBA1.tmp.21649 Try: pgp -ka /tmp/pgp-0xD333CBA1.tmp.21643 pgpgpg -ka /tmp/pgp-0xD333CBA1.tmp.21643 rm -f /tmp/pgp-0xD333CBA1.tmp.21643 Some keys can be used with both PGP and GnuPG, but others cannot, so the reminder covers both. Because the command-line options for gpg and pgp differ, and pgp was developed first, gpg comes with a wrapper program, pgpgpg, that takes the same options as pgp, but calls gpg to do the work. Here, pgpgpg -ka is the same as gpg --import. getpubkey allows you to add retrieved keys to either, or both, of your GnuPG and PGP key rings, at the expense of a bit of cut-and-paste. gpg provides a one-step solution, but only updates your GnuPG key ring: $ gpg --keyserver pgp.mit.edu --search-keys 0xD333CBA1 gpg: searching for "0xD333CBA1" from HKP server pgp.mit.edu Keys 1-6 of 6 for "0xD333CBA1" (1) Jim Meyering 1024 bit DSA key D333CBA1, created 1999-09-26 ... Enter number(s), N)ext, or Q)uit > 1 gpg: key D333CBA1: public key "Jim Meyering gpg: Total number processed: 1 gpg: imported: 1 The —keyserver option is only required the first time, but you can later use it to specify a different server. Besides a key ID, the —search-keys option accepts an email address, username, or personal name. * * * [9] Available at http://www.math.utah.edu/pub/checksum/. [10] R. Rivest, RFC 1321: The MD5 Message-Digest Algorithm, available at ftp://ftp.internic.net/rfc/rfc1321.txt. md5sum is part of the GNU coreutils package. [11] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995, available at http://www.cerberussystems.com/INFOSEC/stds/fip180-1.htm, and implemented in the GNU coreutils package. [12] If you randomly select an item from a collection of N items, each has a 1/N chance of being chosen. If you select M items, then of the M(M-1)/2 possible pairs, the chance of finding a pair with identical elements is (M(M-1)/2)/N. That value reaches probability 1/2 for M about the square root of N. This is called the birthday paradox; you can find discussions of it in books on cryptography, number theory, and probability, as well as at numerous web sites. Its glossary entry includes a short proof and numerical examples. [13] Available at ftp://ftp.gnupg.org/gcrypt/gnupg/ and http://www.gnupg.org/. [14] Available at http://web.mit.edu/network/pgp.html. [15] Available at ftp://ftp.gnu.org/gnu/wget/. Summary In this chapter, we showed how to list files and file metadata with ls and stat, and how to set file timestamps with touch. The touch experiments revealed information about the time-of-day clock and its limited range