LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   How to verify downloaded kernel integrity (with *.sign files?) (https://www.linuxquestions.org/questions/linux-general-1/how-to-verify-downloaded-kernel-integrity-with-%2A-sign-files-346466/)

lowpro2k3 07-25-2005 03:32 AM
How to verify downloaded kernel integrity (with *.sign files?)
 
Lets say I go to kernel.org and download the latest kernel and the .sign file that accompanies the release:

Code:
$ ls -l
-rw-------  1 root root  46713120  linux-2.6.12.3.tar.gz
-rw-------  1 root root        248  linux-2.6.12.3.tar.gz.sign
How do I verify the checksum to ensure that the downloaded kernel matches the *.sign file? I have 'gpg' and the md5 tools installed on my system.

demian 07-25-2005 08:49 AM
Import the kernel.org public key

gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E

Verify the sig:

gpg --verify linux-2.6.12.3.tar.gz.sign linux-2.6.12.3.tar.gz

lowpro2k3 07-25-2005 02:06 PM
I didn't have any luck downloading the public key:

Code:
$ gpg --keyserver ....
gpg: Can't get keys from keyserver: Success
gpg: Total number processed: 0

demian 07-25-2005 02:34 PM
*shrugs* Works for me:

demian@luna:~ $ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
demian@luna:~ $

Alternative: Go here
http://wwwkeys.pgp.net:11371/pks/loo...rch=0x517D0F0E

Copy and paste the key into a file, say, kernel.key. Then import it using

gpg --import kernel.key

lowpro2k3 07-25-2005 06:31 PM
OK thanks, I tried again and still got the same error so I went to the website and copied/pasted the public key, and imported it using gpg. I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).

Thanks for your help


Code:
$ gpg --list-keys
/root/.gnupg/pubring.gpg
--------------------------------
pub  1024D/517D0F0E  2000-10-10  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>
sub  4086G/E50A8F2A  2000-10-10

demian 07-26-2005 09:25 AM
Quote:
Originally posted by lowpro2k3
I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).
You use the command from my first post. The argument is the signature and the file to verify, not the public key.

entz 06-27-2011 07:23 PM
Well Hi,

i've a related question that already goes down this thread....

how about verifying the public key itself and making sure that whatever has been imported does indeed originate from the linux kernel archive and is not some forged man-in-the-middle key ?

i know , i sound paranoid , but i'm curious to know , btw i've read about this in theory (CA and web of trust) but don't know how to make practical use of such things ..etc

cheers

berbae 06-28-2011 01:49 PM
It surely is not easy to be sured, but one way is to contact somebody of the kernel development team and ask him/her to tell you the fingerprint of the public key, either by phone or a real mail by post services, or by some other secure way.
You can also verify the key by the fingerprint with someone who has done the verification already.

But you have also to be sure that the person is really the one you think s/he is!


All times are GMT -5. The time now is 04:15 AM.