- Software vendors use gpg to sign files as a mechanism more robust than MD5 sums to prove the authenticity of the files
- Creating a signature for the file doesn't encrypt the file; it's still in its normal format, whether it is a tarfile, package, or whatever
- You should also use gpg to check the signatures for files you download
- Bob decides he wants to install the program "wipe", which he downloads from http://wipe.sourceforge.net/download.html
- Bob downloads the file
wipe-2.1.0.tar.bz2.sig, which contains the signature for the file:
[bob@yohost bob]$ cat wipe-2.1.0.tar.bz2.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEABECAAYFAj1bJKAACgkQDrxthObLl9oQJwCgoyaEN6GZHSa2r6MSz45QJklY
N+IAoIiu+nhilDEd7KFeMm8uE0RDJBnb
=AVzd
-----END PGP SIGNATURE-----
- bob uses
--verify to verify the file:
[bob@yohost bob]$ gpg --verify wipe-2.1.0.tar.bz2.sig wipe-2.1.0.tar.bz2
gpg: Signature made Wed 14 Aug 2002 11:48:48 PM EDT using DSA key ID E6CB97DA
gpg: Can't check signature: public key not found
- gpg tells bob that he needs to get the public key, and it tells him the ID that generated the signature, so he can get it from the keyserver:
[bob@yohost bob]$ gpg --recv-keys --keyserver pgp.mit.edu E6CB97DA
gpg: requesting key E6CB97DA from pgp.mit.edu ...
gpg: key E6CB97DA: public key imported
gpg: Total number processed: 1
gpg: imported: 1
- Now bob has a new key, and can verify the wipe tarfile:
[bob@yohost bob]$ gpg --list-keys
/home/bob/.gnupg/pubring.gpg
----------------------------
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc
sub 2048g/961630A2 1999-09-23
pub 1024D/7776E936 2002-10-04 Mandi Walls
sub 1024g/E0524E3E 2002-10-04
pub 1024D/A9187B27 2003-01-29 Bob Smith (User Bob)
sub 1024g/8938F5F5 2003-01-29
pub 1024D/9004BC23 2003-01-29 Bob Smith (User Bob)
sub 1024g/B5577FFB 2003-01-29
pub 1024D/E6CB97DA 2002-02-26 Tom Vier
uid Tom Vier
sub 2048g/7A93AEDA 2002-02-26 [expires: 2004-02-26]
[bob@yohost bob]$ gpg --verify wipe-2.1.0.tar.bz2.sig wipe-2.1.0.tar.bz2
gpg: Signature made Wed 14 Aug 2002 11:48:48 PM EDT using DSA key ID E6CB97DA
gpg: Good signature from "Tom Vier "
gpg: aka "Tom Vier "
Could not find a valid trust path to the key. Let's see whether we
can assign some missing owner trust values.
No path leading to one of our keys found.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: DD7A 5403 4596 7F5D F2A4 7B6A 0EBC 6D84 E6CB 97DA
- Bob could also use the
gpgv command, which is a simplified version of gpg --verify but works the same way
- bob knows that the signature is a good signature. But what's all this trust business?