How to verify downloaded kernel integrity (with *.sign files?)
Lets say I go to kernel.org and download the latest kernel and the .sign file that accompanies the release:
Code:
$ ls -l |
Import the kernel.org public key
gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E Verify the sig: gpg --verify linux-2.6.12.3.tar.gz.sign linux-2.6.12.3.tar.gz |
I didn't have any luck downloading the public key:
Code:
$ gpg --keyserver .... |
*shrugs* Works for me:
demian@luna:~ $ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" imported gpg: Total number processed: 1 gpg: imported: 1 demian@luna:~ $ Alternative: Go here http://wwwkeys.pgp.net:11371/pks/loo...rch=0x517D0F0E Copy and paste the key into a file, say, kernel.key. Then import it using gpg --import kernel.key |
OK thanks, I tried again and still got the same error so I went to the website and copied/pasted the public key, and imported it using gpg. I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).
Thanks for your help Code:
$ gpg --list-keys |
Quote:
|
Well Hi,
i've a related question that already goes down this thread.... how about verifying the public key itself and making sure that whatever has been imported does indeed originate from the linux kernel archive and is not some forged man-in-the-middle key ? i know , i sound paranoid , but i'm curious to know , btw i've read about this in theory (CA and web of trust) but don't know how to make practical use of such things ..etc cheers |
It surely is not easy to be sured, but one way is to contact somebody of the kernel development team and ask him/her to tell you the fingerprint of the public key, either by phone or a real mail by post services, or by some other secure way.
You can also verify the key by the fingerprint with someone who has done the verification already. But you have also to be sure that the person is really the one you think s/he is! |
All times are GMT -5. The time now is 05:13 PM. |