Welcome to Part 3 of GPG/PGP Key series.

What we will learn: In this part we will learn how to verify the encrypted signature file that is commonly found on web servers which offers download services.

Example: Suppose you decide to download the Debian’s NetInstaller CD from Debian HTTP servers. Now you will notice that there are two files on the HTTP server with names:

  • MD5SUMS.sign

If you are wondering how to use those two files then this tutorial is right for you.

Step 1: Download the ISO image

You can download any ISO image that you like from the HTTP server but for this tutorial purpose we will use the NetInstaller CD image as an example. So go ahead and first down the ISO image. Suppose you downloaded the ISO image in your home directory – “/home/kushalk”

Step 2: Verify the MD5SUM

We already covered this step in one of my previous posts. I highly encourage you to read it before you read this article any further.

Now first we will verify if the ISO image that we have downloaded has not been tampered since it was uploaded originally. Many crackers will hack the web servers some times and will modify the files/images. So we need to make sure that what we have downloaded is indeed what we wanted to. Here we will make use of the file MD5SUMS. Go ahead and download the MD5SUMS file also to your ” /home/kushalk” directory. Basically at this point of time you should have your ISO image (from Step 1) and the MD5SUM (from this step) both in your home directory.

Once you have both of them give the following command:

# md5sum -c MD5SUMS

and in the output somewhere you should see the following line (in green):

debian-500-i386-CD-9.iso: FAILED open or read
md5sum: debian-500-i386-businesscard.iso: No such file or directory
debian-500-i386-businesscard.iso: FAILED open or read
md5sum: debian-500-i386-kde-CD-1.iso: No such file or directory
debian-500-i386-kde-CD-1.iso: FAILED open or read
debian-500-i386-netinst.iso: OK
md5sum: debian-500-i386-xfce+lxde-CD-1.iso

We get lots of FAILED and No such file or directory message because just downloaded one ISO image and the MD5SUMS file contain checksums for all the ISO images on the Debian’s server.

Step 3: Verify the encrypted signature

Now there is one more additional step to verify if the ISO image that we downloaded is really authentic. And we do this by verify the MD5SUMs.sign. Basically in this step we will confirm that the person who generated the MD5SUMS file is indeed the person who he/she cliams to be.

Imagine this – What if some malicious person hacks the server, generates the ISO files (with bogus content) and also generates the corresponding MD5SUMS file and put it up there. Now you go to web server and download the ISO and MD5SUMS file and verify the checksum just as in Step 2. Sure it will verify the checksum but that is not what we were suppose to download. And that’s why it is very essential to confirm that the MD5SUMS file is really uploaded by the person who is suppose to.

First we will get the Key-ID of the person who really uploaded it:

# gpg --verify MD5SUMS.sign

and you should see something like this:

gpg: Signature made Sat 14 Feb 2009 11:51:23 PM PST using DSA key ID 88C7C1F7
gpg: Can’t check signature: public key not found

# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 88C7C1F7

gpg: requesting key 88C7C1F7 from hkp server subkeys.pgp.net
gpg: key 88C7C1F7: public key “Steve McIntyre <steve@einval.com>” imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1

As you can see we have successfully imported the key in our keyring. You can verify this by giving following command:

# gpg --list-keys

pub   1024D/88C7C1F7 1999-01-30
uid                  Steve McIntyre <steve@einval.com>
uid                  Steve McIntyre <93sam@debian.org>
uid                  Steve McIntyre <stevem@chiark.greenend.org.uk>
sub   1024g/9315EA5D 1999-01-30

Finally now you can verify whether the MD5SUMS file was actually generated by Steve or not.

#  gpg --verify MD5SUMS.sign

gpg: Signature made Sat 14 Feb 2009 11:51:23 PM PST using DSA key ID 88C7C1F7
gpg: Good signature from “Steve McIntyre <steve@einval.com>”
gpg:                 aka “Steve McIntyre <93sam@debian.org>”
gpg:                 aka “Steve McIntyre <stevem@chiark.greenend.org.uk>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AC65 6D79 E362 32CF 77BB  B0E8 7C3B 7970 88C7 C1F7

Additional Notes:

In reality the way you find out person’s Key-ID is by knowing in advance (for example a key signing party) or the person sends you his public key in an E-mail or a CD/Floppy. In this example, we are assuming that Debian servers are not breached and the ISO images are uploaded by Steve.

That’s it! Congratulations! You have successfully verified your ISO and MD5SUMS file image.

Part 4: Signing/Encrypting a file using GPG/PGP key

Be Sociable, Share!