Rainer Laatsch Laatsch at
Sat Aug 28 20:29:15 EDT 2010

I did not find a quick way to check the signature of e.g.
Searching web space, I found something (see below), which I adapted to
Linux (Scientific Linux 5.4, should work for others too).
Dont know if i am allowed to post to this list, but possibly
someone could pick this up and direct to the community something
like this to check signed tar files.

Thanks for this great software!

Best regards

 	Adapted from a mail found in

How to verify the MIT kerberos tarball by using MIT PGP public key
Vipin Rathor v.rathor at
Fri Sep 15 03:09:41 EDT 2006

  hi all,
    What i'm going to write may be obvious & well-known for many people but
some will still find it useful...

    The other day, i downloaded the MIT kerberos 1.5 and wanted to verify the
authenticity and the integrity of the tarball. After hours of searching &
smashing my head with many obstacles, although i got the proper way to do
this, but what i observe is the MIT-kerberos home web-page do not talk about
this issue, which was disheartening.:-(
    Therefore, I'll request the MIT Kerberos guys to put up some guidelines
on how to verify the tarball by using the MIT PGP public key.
    For example, here are my learnings ...
[seems he has done it under some Windoze]

I adapted that to my linux:

Downloaded the new
root at host103# mv krb5-1.8.3-signed.tar /afs/.home/vol/TARFILES/
root at host103# cd /afs/.home/vol/TARFILES/
root at host103# tar -xvf krb5-1.8.3-signed.tar
root at host103# ls -latr /afs/.home/vol/TARFILES/kr*
-rw-r--r-- 1 18940 stapdev 11636070 Aug  4 18:46 krb5-1.8.3.tar.gz
-rw-r--r-- 1 18940 stapdev      303 Aug  4 20:32 krb5-1.8.3.tar.gz.asc
-rw-r--r-- 1 root  root    11642880 Aug 28 17:49 krb5-1.8.3-signed.tar

root at host103# gpg  --verify  krb5-1.8.3.tar.gz.asc krb5-1.8.3.tar.gz
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Wed Aug  4 20:32:46 2010 CEST using RSA key ID F376813D
gpg: Can't check signature: public key not found

root at host103# gpg  --keyserver  --recv-keys F376813D
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key F376813D from hkp server
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key F376813D: public key "Tom Yu <tlyu at MIT.EDU>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

root at host103# gpg  --verify  krb5-1.8.3.tar.gz.asc krb5-1.8.3.tar.gz
gpg: Signature made Wed Aug  4 20:32:46 2010 CEST using RSA key ID F376813D
gpg: Good signature from "Tom Yu <tlyu at MIT.EDU>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58  3F 21 5C C8 5C C4 55 24

# As signed OK by Tom Yu, I believe the correct file contents.

More information about the krbdev mailing list