Tuesday, February 9, 2010

PGP key verification


Notes on how to check a PGP signature.


Ubuntu 8.x

note: gpg is the open version of pgp.. once you install pgp or gpg the commands will be the same.. use pgp and gpg interchangeably

install pgp

command: sudo apt-get install pgp

download your software and key

command: wget www.somehost.com/blah.tar.gz
command: wget www.somehost.com/blah.tar.gz.asc

first pass at verifying

will probably fail because you don't have the signer's public key yet

command: pgp blah.tar.gz.asc

this will print out a message that you dont have the public key for some key id like
No signature found for AC487ADC

get the signers key from a store

gpg --keyserver pgpkeys.mit.edu --recv-key AC487ADC

second pass at verifying

command: pgp blah.tar.gz.asc

this should show that the binary blah.tar.gz was signed by the author

it might print some messages that nobody else trusts this signature because the author has not built a web of trust

No comments:

Post a Comment