How to verify downloaded kernel integrity (with *.sign files?)

lowpro2k3 · 07-25-2005, 03:32 AM

Lets say I go to kernel.org and download the latest kernel and the .sign file that accompanies the release:

Code:

$ ls -l
-rw-------   1 root root   46713120   linux-2.6.12.3.tar.gz
-rw-------   1 root root        248   linux-2.6.12.3.tar.gz.sign

How do I verify the checksum to ensure that the downloaded kernel matches the *.sign file? I have 'gpg' and the md5 tools installed on my system.

demian · 07-25-2005, 08:49 AM

Import the kernel.org public key

gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E

Verify the sig:

gpg --verify linux-2.6.12.3.tar.gz.sign linux-2.6.12.3.tar.gz

lowpro2k3 · 07-25-2005, 02:06 PM

I didn't have any luck downloading the public key:

Code:

$ gpg --keyserver ....
gpg: Can't get keys from keyserver: Success
gpg: Total number processed: 0

demian · 07-25-2005, 02:34 PM

*shrugs* Works for me:

demian@luna:~ $ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
demian@luna:~ $

Alternative: Go here
http://wwwkeys.pgp.net:11371/pks/loo...rch=0x517D0F0E

Copy and paste the key into a file, say, kernel.key. Then import it using

gpg --import kernel.key

lowpro2k3 · 07-25-2005, 06:31 PM

OK thanks, I tried again and still got the same error so I went to the website and copied/pasted the public key, and imported it using gpg. I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).

Thanks for your help

Code:

$ gpg --list-keys
/root/.gnupg/pubring.gpg
--------------------------------
pub   1024D/517D0F0E  2000-10-10  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>
sub   4086G/E50A8F2A  2000-10-10

demian · 07-26-2005, 09:25 AM

Quote:

Originally posted by lowpro2k3
I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).

You use the command from my first post. The argument is the signature and the file to verify, not the public key.

entz · 06-27-2011, 07:23 PM

Well Hi,

i've a related question that already goes down this thread....

how about verifying the public key itself and making sure that whatever has been imported does indeed originate from the linux kernel archive and is not some forged man-in-the-middle key ?

i know , i sound paranoid , but i'm curious to know , btw i've read about this in theory (CA and web of trust) but don't know how to make practical use of such things ..etc

cheers

berbae · 06-28-2011, 01:49 PM

It surely is not easy to be sured, but one way is to contact somebody of the kernel development team and ask him/her to tell you the fingerprint of the public key, either by phone or a real mail by post services, or by some other secure way.
You can also verify the key by the fingerprint with someone who has done the verification already.

But you have also to be sure that the person is really the one you think s/he is!