Verifying a signed download

Some files have been signed by their author to prove that nobody else has tampered with them. This is particularly true of source code or appllications you have downloaded off the web.

For example the antivirus package clamav can be downloaded from Sourceforge. There will be two files for you to download clamav-x.x.x.tar.gz and clamav-x.x.x.tar.gz.sig. The first file is the source code in a compressed format and the second is the signature for the format. In order to verify the signature, you will need GnuPG or PGP installed on the computer you are going to download the file to. I have given details of how to compile GnuPG elsewhere in this blog.

In order to verify the signature, we use the command gpg –verify clamav-x.x.x.tar.gz.sig

[mylogin][~]$ gpg –verify clamav-x.x.x.tar.gz.sig
gpg: keyring `/home/mylogin/.gnupg/secring.gpg’ created
gpg: keyring `/home/mylogin/.gnupg/pubring.gpg’ created
gpg: Signature made Mon Mar 13 17:44:03 2006 MST using DSA key ID 985A444B
gpg: Can’t check signature: public key not found

The trouble is that we do not have yet the public key for the person who signed the file. We can get this from a public keyserver such as keyserver.pgp.com or pgp.mit.edu. You will need the key ID printed in the penultimate (last but one) line above. In this case 985A444B.

We should be able to use the command gpg –keyserver pgp.mit.edu –recv-keys 0x985A444B to retrieve the key automatically, but get the error
[mylogin][~]$ gpg –keyserver pgp.mit.edu –recv-keys 0x985A444B
gpg: requesting key 985A444B from hkp server pgp.mit.edu
/usr/mylocal/libexec/gnupg/gpgkeys_hkp: error while loading shared libraries: libcurl.so.3: cannot open shared object file: No such file or directory
gpg: no handler for keyserver scheme `hkp’
gpg: keyserver receive failed: keyserver error

So we downloaded the public key from pgp.mit.edu instead and saved it to the file clamav.key. NOTE: In order to lookup the public key, you will need to add ’0x’ (zero x) to the front of the key ID, so 985A444B becomes 0x985A444B. The public key can be a large file, so copy and paste it rather than trying to type it.
[mylogin][~]$ gpg –import clamav.key
gpg: key 985A444B: public key “Tomasz Kojm ” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

Once we have added the key to our public keyring, we can verify the signature
[mylogin][~]$ gpg –verify clamav-0.90RC1.1.tar.gz.sig
gpg: Signature made Mon Oct 16 02:56:15 2006 MDT using DSA key ID 985A444B
gpg: Good signature from “Tomasz Kojm
gpg: aka “Tomasz Kojm
gpg: aka “Tomasz Kojm
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0DCA 5A08 407D 5288 279D B434 5482 2DC8 985A 444B

Note that we still do not trust this key – we have just proven that the downloaded file has not been tampered with.

Sending and Receiving EMail

Most of the time this is a painless task. You just set up your email client and hit the Send/Receive button and away you go. But what happens when things go wrong? How do you troubleshoot the problem? Our Knight in shining armour is telnet. You can use this program to manually perform the sequence of commands as shown below.

telnet mail.xxx.com 25

A typical conversation goes something like this (your entry in bold)

Sending Email

telnet mail.mydomain.com 25
220 mydomain.com ESMTP Sendmail 8.11.6/8.11.6; Thu, 26 Oct 2006 11:18:07 -0600
HELO fromme.com
250 mydomain.com Hello [xxx.xxx.xxx.xxx], pleased to meet you
MAIL FROM: test@
250 2.1.0 test@ Sender ok
RCPT TO: validuser@mydomain.com
250 2.1.5 validuser@mydomain.com… Recipient ok
DATA
354 Enter mail, end with “.” on a line by itself
Date: Sun,17 Aug 1997 18:48:15 +0200
From: Me <forged@dummy.com>
To: “You@Yours.com” <You@Yours.com>
Subject: This is a test message

This is the message body
.

250 2.0.0 k9QHLHX00862 Message accepted for delivery
QUIT
221 2.0.0 mydomain.com closing connection

Connection to host lost.

If your server supports ESMTP, it is also possible to start the conversation with EHLO instead of HELO. ESMTP allows for delivery status notifications and multiple attachment encodings

220 mydomain.com ESMTP Sendmail 8.11.6/8.11.6; Thu, 26 Oct 2006 16:11:25 -0600
EHLO fromme.com
250-mydomain.com Hello [xxx.xxx.xxx.xxx], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH PLAIN LOGIN
250 HELP

Receiving EMail

A typical POP3 (receiving) conversation is

telnet mail.mydomain.com 110
+OK AVG POP3 Proxy Server <9397.1161883939@mydomain.com> 7.1.400/7.1.408 [268.13.11/494]
USER validuser
+OK Password required for validuser
PASS xxxxxxxx
+OK validuser has 10 visible messages (0 hidden) in 1275592 octets.
STAT
+OK 10 1275592
LIST
+OK 10 visible messages (1275592 octets)
1 20018
2 19726
……..
9 18883
10 519
.
RETR 10
+OK 519 octets
Return-Path: <test>test@
Received: from fromme.com ([xxx.xxx.xxx.xxx])
by mydomain.com (8.11.6/8.11.6) with SMTP id k9QHLHX00862
for validuser@mydomain.com; Thu, 26 Oct 2006 11:21:48 -0600
Message-Id: <200610261721.k9QHLHX00862@mydomain.com>
X-Envelope-From: test@
X-Envelope-To: validuser@mydomain.com
X-Protocol: SMTP
Date: Sun,17 Aug 1997 18:48:15 +0200
From: Me <forged@dummy.com>
To: “You@yours.com” <You@Yours.com>
Subject: This is a test message
X-UIDL: O*5!!PS:”!7Jk”!~+=”!
X-Antivirus: AVG for E-mail 7.1.408 [268.13.11/494]
Mime-Version: 1.0
Content-Type: text/plain

This is the message body


No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.11/494 – Release Date: 24/10/2006

.
QUIT
+OK Pop server at mydomain.com signing off.

Connection to host lost.

You can see how easy it is for spammers to send fake or phishing emails – the only genuine piece of information in this header is my IP Address, which I have blanked out [xxx.xxx.xxx.xxx]

Other Tests

The other thing to do is to go to http://www.dnsstuff.com and fill out the DNS Lookup for the MX records of your domain in the top right box

Oops! Lost my Tool Options in The GIMP

I was messing about with The GIMP the other day and managed to close the tab that appears in the lower half of the window titled “The GIMP”. Aargh! And then it took me ages to find out how to fix this.

So here is what you have to do…

  1. Click on File, Dialogues, Tool Options (Shift+Ctrl+T)
  2. A new window will appear. Its appearance depends on which tool is currently selected in the toolbox (which is the official name for The GIMP window).
  3. Click on the top line (the one with the same button you used to close the dialog in the first place) and drag it over to “The GIMP” window
  4. When you start dragging, the cursor will change to a button labelled “Tool Options”
  5. Drop it on the small bar below the tools. The bar will turn dark when you can drop the dialog

That’s it.

Restarting you Apache Webserver

Courtesy of Electric Toolbox

If you have made changes to the Apache configuration file httpd.conf on you need to reload the Apache service for the changes to take effect. From
the command line you do this with the apachectl command. The exact location of this command varies on the Unix or Linux variant you are using (eg Fedora, OSX, FreeBSD, Slackware, Mandrake, SUSE) and the compile time settings, but typically it is accesible at /usr/sbin/apachectl . An example of restarting Apache gracefully is shown below:

/usr/sbin/apachectl graceful

Note that you will either need to be running as root or use the “sudo” command in order to run this command.

If Apache is not already running it will be started. If it is already running then it will reload with the new changes but will not abort active connections, meaning that anyone who is in the middle of downloading something will continue to be able to download it.

Before restarting the Apache service a check will be done on the configuration files to ensure they are valid. If there is an error in them the error will be displayed and the Apache service will continue running using the old settings. You need to correct your settings before attempting to restart again.

You can also just check the settings without restarting Apache like so:

/usr/sbin/apachectl configtest

This will check the httpd.conf file and report whether the syntax of the file is valid or not. A list of errors will be displayed including the line numbers if there are any. This makes it easy to isolate any problems.

The following are all the available options that can be passed to the apachectl command. This text is from the apachectl man page.

apachectl start: Start the Apache daemon. Gives an error if it is already running.

apachectl stop: Stops the Apache daemon.

apachectl restart: Restarts the Apache daemon by sending it a SIGHUP. If the daemon is not running, it is started. This command automatically checks the configuration files via configtest before initiating the restart to make sure Apache doesn’t die.

fullstatus: Displays a full status report from mod_status. For this to work, you need to have mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.

apachectl status: Displays a brief status report. Similar to the fullstatus option, except that the list of requests currently being served is omitted.

apachectl graceful: Gracefully restarts the Apache daemon by sending it a SIGUSR1. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. A side effect is that old log files will not be closed immediately. This means that if used in a log rotation script, a substantial delay may be necessary to ensure that the old log files are closed before processing them. This command automatically checks the configuration files via configtest before initiating the restart to make sure Apache doesn’t die.

apachectl configtest: Run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about the particular syntax error.

apachectl help: Displays a short help message.

FTP Connection Refused

I just tried to transfer a plugin to my server using FTP, but kept getting Connection Refused whenever I logged in. My hosting provider’s solution was to reboot my VPS – a little problematic as I was in the middle of editing httpd.conf, so now my HTTP access is hosed :-( The FTP server started working though :-)

Here’s what you should do to test your FTP server

  1. Open a command prompt
  2. Start a telnet session by typing telnet mydomain ftp then type the items entered in BOLD below
  3. connecting to mydomain…
    220 mydomain FTP server (Version wu-2.6.2(1) Mon Aug 16 17:10:57 IDT 2004)
    ready.
    150 Opening BINARY mode data connection for file list.
    226 Transfer complete.
    USER anonymous
    331 Guest login ok, send your complete e-mail address as password.
    PASS mozilla@
    230 Guest login ok, access restrictions apply.
    SYST
    215 UNIX Type: L8
    TYPE I
    200 Type set to I.
    PASV
    227 Entering Passive Mode (192,168,0,10,239,190)
    NLST

    Do not worry if you get the reply 550 *: No such file or directory

  4. Start another command prompt
  5. Start another telnet session, but this time use the data received in reply to the PASV command above. In our example, the FTP server at IP Address 192.168.0.10 is listening on port ((239* 256) + 190), or 61374, so we would type telnet mydomain 61374
  6. If you received error 550, then type LIST in the first telnet session and you will see a list of files appear in the second telnet window and a couple of messages in the first window

    150 Opening BINARY mode data connection for /bin/ls.
    226 Transfer complete.

    If you did not receive error 550, then you will see a list of the directories appear in the second telnet window, followed by Connection to host lost and
    the two messages below in the first telnet window. There will be a pause between the first and second message while the data is transmitted.

    150 Opening BINARY mode data connection for file list.
    226 Transfer complete.

  7. Type QUIT in the first telnet window to close the FTP session. You may need to type QUIT again to terminate the telnet session.

If you like, you can edit /etc/ftpaccess and remove the ‘#’ from the two lines

#log commands real
#log transfers anonymous,real inbound,outbound

to enable logging for your FTP server. Beware as these log files can suck up disk space! Look here for full details, or do a Google on “log commands real” wu-ftp