Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)This document last modified 2008-07-14 15:01:07 -0700
O'Reilly's Network Security Hacks provided a terrifc means of automating the verification of cryptographic signatures. Cryptographic signatures provide a means for the consumer (that's you) to confirm the software you downloaded is the software the developer intended you to download. This helps to protect you from trojaned pieces of software.
Run the following commands to download and install checksig.
# cd /usr/local/bin
# wget -c
http://www.antagonism.org/scripts/checksig
# chown root.root checksig
# chmod 755 checksig
Checksig takes two arguments, the first is the signature file (usually ending in .asc), the second is the file against which the signature was made. The script attempts to verify the signature and failing this, grabs the key ID from the error message. It then, queries the keyserver specified in KEYSERVER for the key ID storing the result in the keyring specified by VENDOR_KEYRING. Finally, it reattempts to verify the signature. The below example shows checksig in use.
% checksig httpd-2.0.61.tar.bz2.asc httpd-2.0.61.tar.bz2 gpg: key 08C975E5: "Jim Jagielski <jim@apache.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Tue 04 Sep 2007 04:01:23 PM EDT using DSA key ID 08C975E5 gpg: Good signature from "Jim Jagielski <jim@apache.org>" gpg: aka "Jim Jagielski <jim@zend.com>" gpg: aka "Jim Jagielski <jim@jimjag.com>" gpg: aka "Jim Jagielski <jim@jaguNET.com>" gpg: aka "Jim Jagielski <jimj@covalent.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8B39 757B 1D8A 994D F243 3ED5 8B3A 601F 08C9 75E5
|
Copyright 2006-2008
Patrick R. McDonald <marlowe@antagonism.org> (GPG key)