Verifying the source package PGP signature

Ken Raeburn raeburn at MIT.EDU
Thu Sep 25 13:18:16 EDT 2008


On Sep 25, 2008, at 12:45, Klaus Heinrich Kiwi wrote:
> How can I verify the PGP signature for say, krb5-1.6.3-signed.tar? Are
> there simple steps that I can take to do that?
>
> I'm actually trying to document it for a customer.

Tom Yu's PGP key was used to sign that.  His public key should be  
available from the PGP key servers.

It depends on the specific PGP software you use, but something like  
this for example:

$ tar xvf krb5-1.6.3-signed.tar
krb5-1.6.3.tar.gz
krb5-1.6.3.tar.gz.asc
$ gpg krb5-1.6.3.tar.gz.asc
gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID  
F376813D
gpg: Good signature from "Tom Yu <tlyu at MIT.EDU>"
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55  
24

If the source tar file or signature is modified or corrupted, you'll  
get a different message out:

$ echo malware > krb5-1.6.3.tar.gz
$ gpg krb5-1.6.3.tar.gz.asc
gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID  
F376813D
gpg: BAD signature from "Tom Yu <tlyu at MIT.EDU>"
$

So what's to prevent some malware author from creating a key in Tom's  
name and signing his own version of the package?  Well, nothing; as  
usual with PGP, the security depends on the "web of trust" scheme  
linking the verifier to Tom.  We don't have any mechanism tied in to a  
centralized global PKI to verify the integrity of the distribution.

It would be more difficult to duplicate the key ID number and  
fingerprint as well, but you still have the question of how to  
securely get that info to the customers.  Maybe putting it in your  
documentation is sufficient?

Ken



More information about the Kerberos mailing list