[SOLVED] Hello, verifying kernel source

markings · 11-21-2011, 01:42 PM

Hello,

I've clearly remember the simplicity of verifying kernel source and the assurances knowing the source code was secure prior to kernel.org being hacked. Unfortunately it's not the case now, I've asked in multiple channels and know one seems to know why verifying kernel sources are failing. I've followed the howto at http://www.kernel.org/signatures.html in regards to importing the key into my keyring which I've done multiple times. I've download http://www.kernel.org/pub/linux/kern...6.32.48.tar.xz and it's corresponding signature file linux-2.6.32.48.tar.sign. Ran the command below:

Code:

 gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Can't check signature: No public key

I try again:

Code:

basis:/etc/php5/fpm # gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: requesting key 517D0F0E from hkp server wwwkeys.pgp.net
gpg: key 517D0F0E: "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
basis:/usr/src # gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Can't check signature: No public key

jthill · 11-21-2011, 01:58 PM

Code:

# gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
[...]
# gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6069293E

markings · 11-21-2011, 02:06 PM

Hello,

As someone point out, the correct link is http://www.kernel.org/signature.html.

@jthill
Can you elaborate the meaning of what you've highlighted?

jthill · 11-21-2011, 02:41 PM

I highlighted the key id you fetched and the key id used to sign. They're different. Fetch the actual signer's key, then do gpg --list-sigs to see who's swearing that really is "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>", then fetch those and start googling the key ids until you're satisfied.

I see the signatures page says "$Id: signature.html,v 1.36 2002/07/15 18:27:03 hpa Exp laredo $"; it seems to me they've forgotten to update it.

(edit: I emailed them about it already)

markings · 11-21-2011, 03:42 PM

Hello,

Thanks to jthill for highlighting the discrepancies in the key ids and to a tip I've received from someone else. I have successfully been able to verify the kernel source. Below are details of the steps I took to resolve the issues.

1. Fetch the kernel source and the corresponding signature key, in this example, I'm working with kernel version 2.6.32.48 from http://www.kernel.org/pub/linux/kernel/v2.6/longterm/

Code:

wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.xz
wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.sign

2. Fetch "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" Public Key from wwwkeys.pgp.net

Code:

gpg --keyserver wwwkeys.pgp.net --recv-keys 0x6092693E

3. You first need to extract the tar file "linux-2.6.32.48.tar" from the compressed archive otherwise you will encounter the problem below:

Quote:

$ gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Sat 12 Nov 2011 07:07:53 AM CST using RSA key ID 6092693E
gpg: BAD signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"

Extract file:

Code:

unxz linux-2.6.32.48.tar.xz
linux-2.6.32.48.tar

4. Then verify source

Code:

gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E