How to verify signature using .sig file.

Hi folks.

Downloading something from the internet CAN be risky… It can be very risky. I am sure You have heard about bad guys hacking into the server of some project and replacing their original download content with something dodgy. Dodgy as in containing backdoor or something just as nasty…

There is a way to minimize the risk of getting exploited by the evil dudes… Many of the projects online that are aware of this security risk are signing their downloads. I am sure You have seen it. You are going to a ftp or http server and You find the file that You are looking for and another file next to it with the exactly same name but with the .sig extension. This .sig file is the signature. You need to verify it in order to make sure that the content that You have downloaded is what the project members wanted You to download and not some fake / infected crap.

How do we go about it?

It’s really simple.

Today I have downloaded Arch Linux iso that I will be testing so I will use it as a example.

First I went to the Arch Linux Downloads site and chose the mirror closest to me. Then I have copied the download links for the iso and sig files and wrote a short “script”.

wget -c http://ftp.heanet.ie/mirrors/ftp.archlinux.org/iso/2012.10.06/archlinux-2012.10.06-dual.iso && wget -c http://ftp.heanet.ie/mirrors/ftp.archlinux.org/iso/2012.10.06/archlinux-2012.10.06-dual.iso.sig

Next I wanted to verify the iso file using the .sig file so I ran:

gpg --verify ./archlinux-2012.10.06-dual.iso.sig

but I got an error:

gpg: Signature made Sat 06 Oct 2012 03:28:53 PM IST using RSA key ID 9741E8AC
gpg: Can’t check signature: public key not found

So I started searching for the info and after a lot of research I finally combined something that works…

First You need to download the public key that corresponds with the RSA key ID:

gpg --no-default-keyring --keyring vendors.gpg --keyserver pgp.mit.edu --recv-key RSA_key_ID

You need to replace the RSA_key_ID with the actual RSA key ID. You got it when the verification failed remember?

So in my case the command will look like this:

gpg --no-default-keyring --keyring vendors.gpg --keyserver pgp.mit.edu --recv-key 9741E8AC

And the output of the command looked like this:

gpg: requesting key 9741E8AC from hkp server pgp.mit.edu
gpg: /home/andrzejl/.gnupg/trustdb.gpg: trustdb created
gpg: key 9741E8AC: public key “Pierre Schmitz ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Now that You have this Pierre’s public key in Your vendors.gpg file we can try verifying the iso file again.

This time command looks slightly different:

gpg --verify --verbose --keyring vendors.gpg ./archlinux-2012.10.06-dual.iso.sig

gpg: assuming signed data in `./archlinux-2012.10.06-dual.iso’
gpg: Signature made Sat 06 Oct 2012 03:28:53 PM IST using RSA key ID 9741E8AC
gpg: using PGP trust model
gpg: Good signature from “Pierre Schmitz “
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
gpg: binary signature, digest algorithm SHA1

In this case the verification gave me a mixed signals… Good signature… Not certified with a trusted signature… I wasn’t sure – so just in case I popped into the #archlinux IRC channel and asked…

23:34 AndrzejL: md5sum
23:36 [andrzejl@wishmacer Arch]$ md5sum ./*
23:36 aefd90da1ee49c745101179f50afa783 ./archlinux-2012.10.06-dual.iso
23:36 b4fcd64607a532afe1880f609bbfd141 ./archlinux-2012.10.06-dual.iso.sig
23:38 AndrzejL: i just need the content of the .sig file to match
23:38 AndrzejL: seems to be matched to the md5sum.txt
23:40 ceezer: so i should be ok using those isos?
23:40 AndrzejL: yes.
23:40 AndrzejL: you should be

and the helpful crowd sorted me out.

I think that the HOWTO explains well enough how to verify the downloaded files (iso, gz, zip etc.) if sig file is provided and hope You will find it useful.

Regards.

Andy