How to verify the MIT kerberos tarball by using MIT PGP public key
v.rathor at gmail.com
Fri Sep 15 03:09:41 EDT 2006
What i'm going to write may be obvious & well-known for many people but
some will still find it useful...
The other day, i downloaded the MIT kerberos 1.5 and wanted to verify the
authenticity and the integrity of the tarball. After hours of searching &
smashing my head with many obstacles, although i got the proper way to do
this, but what i observe is the MIT-kerberos home web-page do not talk about
this issue, which was disheartening.:-(
Therefore, I'll request the MIT Kerberos guys to put up some guidelines
on how to verify the tarball by using the MIT PGP public key.
For example, here are my learnings:
*How to verify the MIT kerberos tarball by using MIT PGP public key
You have downloaded any tar ball from MIT web site and now you want to check
the authenticity and integrity of the tarball. What do you do?????
Well, don't scratch your head much. Simply follow this guideline:
1.) Get a gpg command line tool to create/verify PGP-signed contents for
your system. (http://www.gnupg.org)
2.) When successfully installed, try to verify your tarball by running this:
D:\MIT Kerberos>gpg - -verify <sign_file> <tarball_name>
At first run, this will give an error (see example that follows)
D:\MIT Kerberos>gpg - -verify krb5-1.5.tar.gz.asc krb5-1.5.tar.gz
gpg: Signature made 07/01/06 10:46:09 using RSA key *ID F376813D
*gpg: Can't check signature: public key not found
3.) This means, in order to verify any tarball, all u need is the PGP public
key of the person who signed that tarball. So either we can go use our GPG
tool to get the public key OR go to (http://pgp.mit.edu). Here, you can
search the public key you want. To search, use key ID of the key, displayed
in the above error message.
*NOTE*:You can also use the GnuPG tool to import key directly from key
server without manually searching, copying & then adding key by yourself. For
this use the following command,
D:\MIT Kerberos>gpg - -keyserver pgp.mit.edu - -recv-keys
4.) If you choose to search on web site, the search will show the listing
(type, size, date, userid) of the key with the specified keyID. Click on the
keyID hyperlink to get the public key.
5.) Clicking on the hypertext link will display an ASCII-armored version of
the public key. So select the text block under the following headings
(including the headings!)
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
6.) Save the selection in a new text file with extension ".asc"(because the
key is ASCII armored)
7.) Now you have the public key of the person who signed your tarball. To
add this key to your public key ring, do
D:\MIT Kerberos>gpg - -import <key_file>
D:\MIT Kerberos>gpg - -import mit_pub_key_of_tom_yu.asc
gpg: key F376813D: duplicated user ID detected - merged
gpg: key F376813D: public key "Tom Yu <tlyu at MIT.EDU>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
8.) Once again, run verification command. Now it will try to verify the
D:\MIT Kerberos\krb5-1.5-signed>gpg - -verify krb5-1.5.tar.gz.asc
gpg: Signature made 07/01/06 10:46:09 using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu at MIT.EDU>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24
(NOTE: Be ready to see some warnings regarding no certification and/or no
belonging of the key. This is acceptable because you did not created a trust
path to the MIT PGP key)
9.) Once your tarball has been verified, you are free to use this.
Thanx in advance...
U guys really rox.....
More information about the krbdev