LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices


Reply
  Search this Thread
Old 11-21-2011, 01:42 PM   #1
markings
Member
 
Registered: Nov 2011
Location: Penn
Distribution: OpenSuSE 13.1
Posts: 33

Rep: Reputation: 3
Hello, verifying kernel source


Hello,

I've clearly remember the simplicity of verifying kernel source and the assurances knowing the source code was secure prior to kernel.org being hacked. Unfortunately it's not the case now, I've asked in multiple channels and know one seems to know why verifying kernel sources are failing. I've followed the howto at http://www.kernel.org/signatures.html in regards to importing the key into my keyring which I've done multiple times. I've download http://www.kernel.org/pub/linux/kern...6.32.48.tar.xz and it's corresponding signature file linux-2.6.32.48.tar.sign. Ran the command below:

Code:
 gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Can't check signature: No public key
I try again:

Code:
basis:/etc/php5/fpm # gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: requesting key 517D0F0E from hkp server wwwkeys.pgp.net
gpg: key 517D0F0E: "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
basis:/usr/src # gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Can't check signature: No public key
 
Old 11-21-2011, 01:58 PM   #2
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 211

Rep: Reputation: 67
Code:
# gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
[...]
# gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6069293E
 
Old 11-21-2011, 02:06 PM   #3
markings
Member
 
Registered: Nov 2011
Location: Penn
Distribution: OpenSuSE 13.1
Posts: 33

Original Poster
Rep: Reputation: 3
Hello,

As someone point out, the correct link is http://www.kernel.org/signature.html.

@jthill
Can you elaborate the meaning of what you've highlighted?
 
Old 11-21-2011, 02:41 PM   #4
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 211

Rep: Reputation: 67
I highlighted the key id you fetched and the key id used to sign. They're different. Fetch the actual signer's key, then do gpg --list-sigs to see who's swearing that really is "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>", then fetch those and start googling the key ids until you're satisfied.

I see the signatures page says "$Id: signature.html,v 1.36 2002/07/15 18:27:03 hpa Exp laredo $"; it seems to me they've forgotten to update it.

(edit: I emailed them about it already)

Last edited by jthill; 11-21-2011 at 02:43 PM. Reason: mention I emailed them already
 
1 members found this post helpful.
Old 11-21-2011, 03:42 PM   #5
markings
Member
 
Registered: Nov 2011
Location: Penn
Distribution: OpenSuSE 13.1
Posts: 33

Original Poster
Rep: Reputation: 3
Hello,

Thanks to jthill for highlighting the discrepancies in the key ids and to a tip I've received from someone else. I have successfully been able to verify the kernel source. Below are details of the steps I took to resolve the issues.

1. Fetch the kernel source and the corresponding signature key, in this example, I'm working with kernel version 2.6.32.48 from http://www.kernel.org/pub/linux/kernel/v2.6/longterm/
Code:
wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.xz
wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.sign
2. Fetch "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" Public Key from wwwkeys.pgp.net
Code:
gpg --keyserver wwwkeys.pgp.net --recv-keys 0x6092693E
3. You first need to extract the tar file "linux-2.6.32.48.tar" from the compressed archive otherwise you will encounter the problem below:

Quote:
$ gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Sat 12 Nov 2011 07:07:53 AM CST using RSA key ID 6092693E
gpg: BAD signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
Extract file:

Code:
unxz linux-2.6.32.48.tar.xz
linux-2.6.32.48.tar
4. Then verify source
Code:
gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar
gpg: Signature made Tue Nov  8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

Last edited by markings; 11-21-2011 at 03:46 PM. Reason: Grammar and Formatting corrections
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Manual nvidia install needs kernel source, unable to select source in YOU sirius57 Linux - Hardware 2 12-04-2007 05:11 PM
LXer: Howto: build Linux kernel module against installed kernel w/o full kernel source tree LXer Syndicated Linux News 0 09-03-2006 08:21 PM
Debain kernel source or Linux kernel source? kushalkoolwal Debian 4 11-28-2005 01:56 PM
apt-get kernel-source is installing the wrong kernel source. JordanH Ubuntu 10 07-08-2005 05:42 PM
difference between "pure" kernel source, and .deb packaged kernel source microsoft/linux Debian 1 06-19-2005 10:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel

All times are GMT -5. The time now is 03:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration