Checking Software Package Digital Signatures

One very effective use for digital signatures is to verify that a software package has not been tampered with. It is possible that a software package could be intercepted in transmission and some of its system-level files changed or substituted. Software packages from your distribution, as well as those by reputable GNU and Linux projects, are digitally signed. The signature provides modification digest information with which to check the integrity of the package. The digital signature may be included with the package file or posted as a separate file. You use the gpg command with the --verify option to check the digital signature for a file.

Importing Public Keys

First, however, you will need to make sure that you have the signer's public key. The digital signature was encrypted with the software distributor's private key. That distributor is the signer. Once you have that signer's public key, you can check any data you receive from them. In the case of a software distributor, once you have their public key, you can check any software they distribute. To obtain the public key, you can check a key server or, more likely, check their Web site. As noted previously, you can download the Red Hat public key from the Red Hat Web site security resources page or use the version installed in the RPM documentation directory. Once you have obtained the public key, you can add to your keyring with the -import option, specifying the name you gave to the downloaded key file (in this case, myredhat.asc):

# gpg --import redhat.asc gpg: key CBA29BF9: public key imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)

To download from a keyserver instead, you use the --keyserver option and the keyserver name.

To import the Red Hat public key from the RPM directory, you would specify the RPM- GPG-KEY file. This is the key provided by the Red Hat distribution on your CD-ROMs. Though used during installation, the key has to be imported to verify packages again after they have been installed.

rpm --import /usr/share/doc/rpm-4.1/RPM-GPG-KEY

Validating Public Keys

You can use the --fingerprint option to check a key's validity if you wish. If you are confident that the key is valid, you can then sign it with the --sign-key command. In the following example, the user signs the Red Hat key, using the string "Red Hat" in the key's name to reference it. The user is also asked to enter his passphrase to allow use of his private key to sign the Red Hat public key.

# gpg --sign-key "Red Hat" pub  1024R/CBA29BF9  created: 1996-02-20 expires: never  trust: -/q (1). Red Hat Software, Inc. <redhat@redhat.com> pub  1024R/CBA29BF9  created: 1996-02-20 expires: never  trust: -/q  Fingerprint: 6D 9C BA DF D9 60 52 06  23 46 75 4E 73 4C FB 50  Red Hat Software, Inc. <redhat@redhat.com>     Are you really sure that you want to sign this key with your key: "Richard Petersen (author) <richlp@turtle.mytrek.com>" Really sign? yes You need a passphrase to unlock the secret key for user: "Richard Petersen (author) <richlp@turtle.mytrek.com>" 1024-bit DSA key, ID 73F0A73C, created 2001-09-26 Enter passphrase: # 

Checking RPM Packages

Once you have the public key, you can check any RPM software packages for Red Hat with the rpm command and -K option. The following example checks the validity of the xcdroast and balsa software packages:

# rpm -K xcdroast-0.98alpha9-1.i386.rpm xcdroast-0.98alpha9-1.i386.rpm: md5 OK # rpm -K balsa-1.1.7-1.i386.rpm balsa-1.1.7-1.i386.rpm: md5 OK

Many software packages in the form of compressed archives, .tar.gz or tar.bz2, will provide signatures in separate files that end with either the .asc or .sig extension. To check these, you use the gpg command with the --verify option. For example, the most recent sendmail package is distributed in the form of a compressed archive, .tar.gz. Its digital signature is provided in a separate .sig file. First you would download and install the public key for sendmail software obtained from the Sendmail Web site.

# gpg --import sendmail.asc

You should then sign the Sendmail public key that you just imported. In this example, the e-mail address was used for the key name.

gpg --sign-key sendmail@Sendmail.ORG

You could also check the fingerprint of the key for added verification.

You would then download both the compressed archive and the digital signature files. Decompress the .gz file to the .tar file with gunzip. Then, with the gpg command and the --verify option, use the digital signature in the .sig file to check the authenticity and integrity of the software compressed archive.

# gpg --verify sendmail.8.12.0.tar.sig sendmail.8.12.0.tar gpg: Signature made Fri 07 Sep 2001 07:21:30 PM PDT using RSA key ID CC374F2D gpg: Good signature from "Sendmail Signing Key/2001 <sendmail@Sendmail.ORG>"

You could also just specify the signature file and gpg will automatically search for and select a file of the same name, but without the .sig or .asc extension.

# gpg --verify sendmail.8.12.0.tar.sig

In the future, when you download any software from the Sendmail site that uses this key, you just have to perform the --verify operation. Bear in mind, though, that different software packages from the same site may use different keys. You would have to make sure that you have imported and signed the appropriate key for the software you are checking.