Verifying a signed download

Some files have been signed by their author to prove that nobody else has tampered with them. This is particularly true of source code or appllications you have downloaded off the web.

For example the antivirus package clamav can be downloaded from Sourceforge. There will be two files for you to download clamav-x.x.x.tar.gz and clamav-x.x.x.tar.gz.sig. The first file is the source code in a compressed format and the second is the signature for the format. In order to verify the signature, you will need GnuPG or PGP installed on the computer you are going to download the file to. I have given details of how to compile GnuPG elsewhere in this blog.

In order to verify the signature, we use the command gpg –verify clamav-x.x.x.tar.gz.sig

[mylogin][~]$ gpg –verify clamav-x.x.x.tar.gz.sig
gpg: keyring `/home/mylogin/.gnupg/secring.gpg’ created
gpg: keyring `/home/mylogin/.gnupg/pubring.gpg’ created
gpg: Signature made Mon Mar 13 17:44:03 2006 MST using DSA key ID 985A444B
gpg: Can’t check signature: public key not found

The trouble is that we do not have yet the public key for the person who signed the file. We can get this from a public keyserver such as keyserver.pgp.com or pgp.mit.edu. You will need the key ID printed in the penultimate (last but one) line above. In this case 985A444B.

We should be able to use the command gpg –keyserver pgp.mit.edu –recv-keys 0x985A444B to retrieve the key automatically, but get the error
[mylogin][~]$ gpg –keyserver pgp.mit.edu –recv-keys 0x985A444B
gpg: requesting key 985A444B from hkp server pgp.mit.edu
/usr/mylocal/libexec/gnupg/gpgkeys_hkp: error while loading shared libraries: libcurl.so.3: cannot open shared object file: No such file or directory
gpg: no handler for keyserver scheme `hkp’
gpg: keyserver receive failed: keyserver error

So we downloaded the public key from pgp.mit.edu instead and saved it to the file clamav.key. NOTE: In order to lookup the public key, you will need to add ’0x’ (zero x) to the front of the key ID, so 985A444B becomes 0x985A444B. The public key can be a large file, so copy and paste it rather than trying to type it.
[mylogin][~]$ gpg –import clamav.key
gpg: key 985A444B: public key “Tomasz Kojm ” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

Once we have added the key to our public keyring, we can verify the signature
[mylogin][~]$ gpg –verify clamav-0.90RC1.1.tar.gz.sig
gpg: Signature made Mon Oct 16 02:56:15 2006 MDT using DSA key ID 985A444B
gpg: Good signature from “Tomasz Kojm
gpg: aka “Tomasz Kojm
gpg: aka “Tomasz Kojm
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0DCA 5A08 407D 5288 279D B434 5482 2DC8 985A 444B

Note that we still do not trust this key – we have just proven that the downloaded file has not been tampered with.