LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 01-21-2004, 11:21 AM   #1
visu
LQ Newbie
 
Registered: Jan 2004
Posts: 25

Rep: Reputation: 15
How to verify signature ?


Hi all !,
how can i verify the source file signature in linux ? i have 2 files called file.tar.gz and file.tar.sig

thanks in advance.

regards,
visu
 
Old 01-21-2004, 11:56 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
gpg --verify <file>.sig <file>

Or, in your specific case:

$ gpg --verify file.tar.gz.sig file.tar.gz

Hope this helps.
 
Old 01-22-2004, 03:37 AM   #3
visu
LQ Newbie
 
Registered: Jan 2004
Posts: 25

Original Poster
Rep: Reputation: 15
hello
Thanks a lot , it did with gpg commmand i got the following messages:

[user@linux1 Sources]$ gpg --verify nut-1.4.1.tar.gz.sig nut-1.4.1.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: /home/user/.gnupg: directory created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: keyblock resource `/home/user/.gnupg/pubring.gpg': file open error
gpg: Signature made Sat Dec 6 10:18:33 2003 CET using DSA key ID 9DC0E77E
gpg: Can't check signature: public key not found

and also how can i check with md5 files ?



any idea ?

Thanks ,

visu
 
Old 05-01-2008, 11:34 AM   #4
bkzshabbaz
LQ Newbie
 
Registered: May 2008
Posts: 1

Rep: Reputation: 0
If you read the output, it says you don't have the public key. In cryptography, in order to verify a signature, you need the public key from the person who signed the file. If you want to verify a md5 hash, you can use the md5sum command.
 
Old 12-31-2008, 07:48 AM   #5
Amerefelie
LQ Newbie
 
Registered: Dec 2008
Posts: 3

Rep: Reputation: 0
here's a quick bash script I use to authenticate files. It creates a "venders.gpg" key ring that public keys are imported to instead of your default keyring. Also it will check md5, sha1, and sha256 hashes if present.

#!/bin/sh
VENDOR_KEYRING=vendors.gpg
if [ -e "$1.sig" ]
then KEYID="0x`gpg --verify $1.sig $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
gpg --no-default-keyring --keyring $VENDOR_KEYRING --recv-key $KEYID
gpg --keyring $VENDOR_KEYRING --verify $1.sig $1
elif [ -e "$1.asc" ]
then KEYID="0x`gpg --verify $1.asc $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
gpg --no-default-keyring --keyring $VENDOR_KEYRING --recv-key $KEYID
gpg --keyring $VENDOR_KEYRING --verify $1.asc $1
else echo "No GPG signature File"
fi
if [ -e "$1.md5" ]
then if md5sum $1 | diff -i - $1.md5 2> /dev/null
then echo "Md5 hash match!"
else echo "Md5 hash does not match!"
fi
else "Md5 hash file not found."
fi
if [ -e "$1.sha1" ]
then if sha1sum $1 | diff -i - $1.sha1 2> /dev/null
then echo "Sha1 hash match!"
else echo "Sha1 hash does not match!"
fi
else echo "Sha1 hash file not found."
fi
if [ -e "$1.sha256" ]
then if sha256sum $1 | diff -i - $1.sha256 2> /dev/null
then echo "Sha256 hash match!"
else echo "Sha256 hash does not match!"
fi
else "Sha256 hash file not found."
fi
exit 0

Last edited by Amerefelie; 12-31-2008 at 07:58 AM. Reason: updated script for hash test fail.
 
Old 05-07-2009, 05:25 PM   #6
alavarre@gmail.com
LQ Newbie
 
Registered: May 2009
Posts: 2

Rep: Reputation: 0
Smile Amerefelie script


Thanks for the script. I know BASH, but the verification stuff has always been a mystery, until now.

I did a few tweaks, posted below. Added comments, fixed a couple of typos, but mostly added the --keyserver pgp.mit.edu specification to specify a specific key server. gnupg.conf allows you to specify a default key server, but only with an HKP address:
QUOTE
# If you have problems connecting to a HKP server through a buggy http
# proxy, you can use keyserver option broken-http-proxy (see below),
# but first you should make sure that you have read the man page
# regarding proxies (keyserver option honor-http-proxy)
UNQUOTE
My gpg.conf could not decipher this with the setting
keyserver hkp://subkeys.pgp.net
so it is just easier to add it to the receive line.

Thank you again for the excellent illumination!!



Kind regards, Andy


============== Amended Script ==============
#!/bin/sh
# This routine was written by "Amerefelie"
# https://www.linuxquestions.org/quest...nature-137111/
#Last updated 090507 by Andy Lavarre alavarre@gmail.com to insert comment analysis documentation
#Last edited 081231 by Amerefelieat 07:58 AM.. Reason: updated script for hash test fail.
#Usage:
# tar_verify $1
# where $1 is the name of the xxx.tar.gz file
# Name the key ring
VENDOR_KEYRING=vendors.gpg
# Report the input
echo "tar file is "$1
# If the signature file xxx.tar.gz.sig exists
if [ -e "$1.sig" ]
# Then strip off the name of the file
then KEYID="0x`gpg --verify $1.sig $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
echo "The key ID is "$KEYID
# Pull the public key from the default key server to the Vendor keyring
gpg --no-default-keyring --keyring $VENDOR_KEYRING --keyserver pgp.mit.edu --recv-key $KEYID
# Verify the file
gpg --keyring $VENDOR_KEYRING --verify $1.sig $1
# Otherwise, if the signature file is an ASCII
elif [ -e "$1.asc" ]
# Then strip off the name of the file
then KEYID="0x`gpg --verify $1.asc $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
echo "The key ID is "$KEYID
# Pull the public key from the default key server to the Vendor keyring
gpg --no-default-keyring --keyring $VENDOR_KEYRING --keyserver pgp.mit.edu --recv-key $KEYID
# Verify the file
gpg --keyring $VENDOR_KEYRING --verify $1.asc $1
# Otherwise complain that it does not exist
else echo "No GPG signature File"
# Finish
fi
# Now if not PGP/GPG, but an MD5 instead and the hash file exists
if [ -e "$1.md5" ]
# Then calculate the MD5 hash and compare to the hash file; if the same
then if md5sum $1 | diff -i - $1.md5 2> /dev/null
# Then success
then echo "Md5 hash match!"
# Otherwise complain
else echo "Md5 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Md5 hash file not found."
# Finish
fi
# Now if not PGP/GPG, but an sha1 instead and the hash file exists
if [ -e "$1.sha1" ]
# Then calculate the sha1 hash and compare to the hash file; if the same
then if sha1sum $1 | diff -i - $1.sha1 2> /dev/null
# Then success
then echo "Sha1 hash match!"
# Otherwise complain
else echo "Sha1 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Sha1 hash file not found."
# Finish
fi
# Now if not PGP/GPG, but an sha256 instead and the hash file exists
if [ -e "$1.sha256" ]
# Then calculate the sha1 hash and compare to the hash file; if the same
# Then success
then if sha256sum $1 | diff -i - $1.sha256 2> /dev/null
# Then success
then echo "Sha256 hash match!"
# Otherwise complain
else echo "Sha256 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Sha256 hash file not found."
# Finish
fi
# Quit
exit 0
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Kgpg, how to verify signature gljubuncic Linux - Software 2 05-14-2005 01:31 PM
verify before continue - how to? babag Programming 8 05-05-2005 05:28 AM
Verify a CD-ROM VorlonInfoTech Linux - Hardware 1 03-07-2005 02:37 AM
rpm --verify -a question linuxtesting2 Red Hat 1 05-15-2004 12:39 AM
Can you verify a url with php? digitalgravy Programming 4 03-01-2004 01:38 PM


All times are GMT -5. The time now is 11:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration