|
Using MD5SUM, GNUPG, and “rpm --checksig”
Ways to test Authenticity and Integrity of a File or Program
- Table of Contents
- 1. Introduction.
- 2. How md5sum (Message Digest) works.
-
- 2.1. Using md5sum to verify a file.
- 3. How gnupg (GNU Privacy Guard) works.
-
- 3.1. Using gnupg to verify a file or program.
- 3.2. Importing a public key.
- 3.3. Verifying a file.
- 3.4. Verifying a program.
- 4. What is this gpgv command I've heard about?
-
- 5. How does “rpm --checksig” fit into the picture?
-
- 6. Using software install tools like mcc (Mandrake Linux) or up2date (Red Hat Linux)
-
- 7. Other Resources
1. Introduction
Have you wondered what all this talk of computer security and
encryption is all about? Worried about downloading a program that may
damage your computer system? Are you tired of failed installation
attempts due to corrupt files?
Using the md5sum and the gnupg tool can help you confirm that the files
you download are undamaged and secure. The --checksig tag of the rpm [www.rpm.org] command (rpm --checksig <filename>) combines the functionality of md5sum and gnupg together.
I am currently looking for more resources on how the graphical
software tools from Red Hat Linux and Mandrake Linux work to verify gpg
signatures. Please send resources my way if you find them.
2. How md5sum (Message Digest) works
Most Linux distributions will include a md5sum mark in the files that
they produce or package. The md5sum code that is used is unique to that
particular file. If the file or program is modified in any way it will
produce a different md5sum mark than what was published by the author.
2.1 Using md5sum to verify a file
To verify a file, first figure out where are are getting a file.
Usually the web page that you download the software from will publish
the md5sum number on it. If you are downloading the software via a ftp
server the md5sum number will be in a file located in the same
directory, usually aptly named MD5SUM.
Now you have your file and the md5sum number. An md5sum number
might look something like this: 19971d632f73eb79694093fef7eaeffb.
At the command line type in “md5sum <filename> like this:
[root@sygny tmp]# md5sum gaim-0.74-1mdk.i586.rpm <enter>
19971d632f73eb79694093fef7eaeffb gaim-0.74-1mdk.i586.rpm
Check to make sure that both of the md5sum numbers are the
same. If they are you have downloaded the file successfully without
corruption.
3. How gnupg (GNU Privacy Guard) works
GNUpg works along the same lines as the md5sum tool. A file or program
is digitally signed using a private key. A public key is made available
to verify the file. If an actual program itself it is signed, a
separate signature file is created and is required in the verification
process.
Using gnupg can be easier in at least two ways. The first way
is that the same private key can be used to digitally sign multiple
files or programs. In fact a whole body of software can be digitally
signed with one private key. Once you have the public key for that
company you can use that one public key (along with a signature file if
necessary) to verify all of the digitally signed files. You also can
import and save the public key from the software source for future use.
3.1 Using gnupg to verify a file or program
File and program verification with
gnupg is very easy. You will need three things, the digitally signed
file or program that you have downloaded , the signature file for that
file or program, and the gnupg public key for the file or program. The
signature file usually will be in the format of
“programname.sig” or “programname.asc.”
The signature file is only necessary when you
are trying to verify the signature of a program. When individual files
are signed the signature portion is part of the actual file itself.
The public key can be in the form of a text
file or it might be published on the web site you are visiting. A
typical public key can look something like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
80MeAJ9K+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5jb20+iFcE
ExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+AJsHhohgnU3ik4+g
y3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0EOWnn7xAEAOQlTVY4TiNo5V/i
P0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F779FQbpJ9Epz1KLSXvq974rnVb813z
uGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dl
J/3eXrcO4p0XAAMFBACCxo6Z269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6
EkaP572448weJWwN6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siB
v8yEkEvZjTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGXlA==
=yGlX
-----END PGP PUBLIC KEY BLOCK-----
If
this information is not already packaged in a neat small text file with
a .sig or .asc extension, you'll want to copy the public gnupg key
inside a basic text file. Then you can import this public key into your
list of public keys.
3.2 Importing a public key
To import a public key into your gnupg “keyring” please follow these steps:
[root@sygny tmp]# gpg --import <filename.asc> <enter>
The
above command will add the public key filename.asc to the gnupg keyring
for future reference. The default keyring location will vary by Linux
distribution. Usually the keyring file is located in a hidden directory
in the user's home directory.
In the instance above, the keyring file is created in the /root/.gnupg/pubring.gpg file.
3.3 Verifying a file
Once the key has been imported into your keyring you can then verify the existing file with this command:
[root@sygny tmp]# gpg --verify <filetoverify.doc> <enter>
This will verify the signature embedded in the file using the public key that you have previously imported.
The command will return a message stating that the verification had succeeded or failed.
3.4 Verifying a program
Programs usually cannot have the
signature added the the program file. The signature is created as a
separate file. The same public key can be used. Typically the signature
file and the actual file will be in the same directory. When verifying
a program with the gpg command you will need to add the name of the sig
file in the command. For example:
[root@sygny tmp]# gpg --verify <signaturefile.sig> <filetoverify.zip>.
In the above command notice the <signaturefile.sig> has been added.
This command will return a message stating whether or not the file is verified.
4. What is this gpgv tool I've heard about?
The gpgv tool is a tool that is only used for verifying
the signatures on files or programs. Unlike the gpg tool it does not
have the capability to sign or encrypt files or programs. The gpgv tool
also stores the public keys in a different file so keys imported by
gpgv are not available for use by gpg and vice versa. In my opinion you
might as well just focus on the gpg tool as the gpg tool will have many
more options for use and have more written documentation.
5. How does “rpm --checksig” fit into the picture?
Software packages in the “rpm” format
used by Linux distributions such as Mandrake or Red Hat Linux have the
ability to store both md5sum and gpg signatures in them. No separate
signature file is necessary to verify these digital signatures or
md5sums.
The rpm command has options to it that will all you to import
public keys and therefore verify files. The keys are stored in a
different location than the gpg command does. To import a public key
with the rpm command use the command:
[root@sygny tmp]# rpm --import <keyfile>
The public keys are all typically stored in the /var/lib/rpm/Pubkeys file in both Mandrake and Red Hat Linux.
First you would import the public keyring and then use the following command to verify the signature on the file:
[root@sygny tmp]# rpm --checksig GConf-1.0.9-13.1.92mdk.i586.rpm <enter>
GConf-1.0.9-13.1.92mdk.i586.rpm: sha1 md5 gpg OK
The “OK” above, confirms that both the md5sum and the gpg signature are valid.
How does the rpm command know that the md5sum mark is
correct? A md5sum marker is located within the actual rpm install file,
and a md5sum marker is calculated by the rpm command. The two md5sum
marks are then compared for verification.
6. Using software install tools like mcc (Mandrake Linux) or up2date (Red Hat Linux)
Both the Mandrake and Red Hat Linux tools
automatically check the md5sum for each software package that is
installed as this is a built in feature of the rpm tool.
The Red Had Linux up2date tool will verify the gpg signatures
on the file or program and will give an error if the signature is
missing or not valid.
Mandrake Linux also includes the ability to check gpg signatures when installing or updating programs.
7. Other Resources
Web sites:
http://www.mandrakesecure.net/en/docs/gpg.php
Mailing Lists:
http://lists.gnupg.org/pipermail/gnupg-users/ (Main User List)
http://marc.theaimsgroup.com/?l=gnupg-users (Searchable Main List)
http://groups.yahoo.com/group/PGP-Basics/ |