check-gpg-signing-of-MIT-krb5-1.8.3-signed.tar

Rainer Laatsch Laatsch at uni-koeln.de
Sat Aug 28 20:29:15 EDT 2010 

I did not find a quick way to check the signature of e.g.
  krb5-1.8.3-signed.tar
Searching web space, I found something (see below), which I adapted to
Linux (Scientific Linux 5.4, should work for others too).
Dont know if i am allowed to post to this list, but possibly
someone could pick this up and direct to the community something
like this to check signed tar files.

Thanks for this great software!

Best regards
R.

===============================================================
 	Adapted from a mail found in
  http://mailman.mit.edu/pipermail/krbdev/2006-September/004952.html

How to verify the MIT kerberos tarball by using MIT PGP public key
Vipin Rathor v.rathor at gmail.com
Fri Sep 15 03:09:41 EDT 2006

  hi all,
    What i'm going to write may be obvious & well-known for many people but
some will still find it useful...

    The other day, i downloaded the MIT kerberos 1.5 and wanted to verify the
authenticity and the integrity of the tarball. After hours of searching &
smashing my head with many obstacles, although i got the proper way to do
this, but what i observe is the MIT-kerberos home web-page do not talk about
this issue, which was disheartening.:-(
    Therefore, I'll request the MIT Kerberos guys to put up some guidelines
on how to verify the tarball by using the MIT PGP public key.
    For example, here are my learnings ...
[seems he has done it under some Windoze]
=======================================================================0


I adapted that to my linux:

Downloaded the new
  krb5-1.8.3-signed.tar 
root at host103# mv krb5-1.8.3-signed.tar /afs/.home/vol/TARFILES/
root at host103# cd /afs/.home/vol/TARFILES/
root at host103# tar -xvf krb5-1.8.3-signed.tar
root at host103# ls -latr /afs/.home/vol/TARFILES/kr*
...
-rw-r--r-- 1 18940 stapdev 11636070 Aug  4 18:46 krb5-1.8.3.tar.gz
-rw-r--r-- 1 18940 stapdev      303 Aug  4 20:32 krb5-1.8.3.tar.gz.asc
-rw-r--r-- 1 root  root    11642880 Aug 28 17:49 krb5-1.8.3-signed.tar

root at host103# gpg  --verify  krb5-1.8.3.tar.gz.asc krb5-1.8.3.tar.gz
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Wed Aug  4 20:32:46 2010 CEST using RSA key ID F376813D
gpg: Can't check signature: public key not found

root at host103# gpg  --keyserver pgp.mit.edu  --recv-keys F376813D
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key F376813D from hkp server pgp.mit.edu
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key F376813D: public key "Tom Yu <tlyu at MIT.EDU>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

root at host103# gpg  --verify  krb5-1.8.3.tar.gz.asc krb5-1.8.3.tar.gz
gpg: Signature made Wed Aug  4 20:32:46 2010 CEST using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu at MIT.EDU>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55 24

# As signed OK by Tom Yu, I believe the correct file contents.
#

More information about the krbdev mailing list