gpg verify download

Post everything else here

Moderators: Website/Forum Admins, Other/Off Topic Moderators

rf
Posts: 30
Joined: Wed Apr 05, 2006 10:16 pm

gpg verify download

Postby rf » Wed May 10, 2006 5:24 pm

Hi,

It is my understanding that the [gpg] and [md5] next to a binary file to download a program such as Apache is for the purpose of verifying the integrity of the download. My question is how do you do that?

gpg httpd-2.2.2..tar.gz returns an error message:
"No valid Open PGP data found.
processing message failed."

Does this mean the file is not OK?
What does it mean and what can be done about it?
Is it important to verify a file that has been downloaded? If so how?

Thanks,

RF
Nico
Posts: 8
Joined: Sun Sep 05, 2004 11:12 am
Location: France

Postby Nico » Wed May 10, 2006 7:50 pm

A md5 hash enables you to verify the integrity of the file you've just downloaded. To use it, download the *.md5 file that goes with the file and then use:

Code: Select all

md5sum --check file.md5
The gpg signature allows you to verify that the file has been created by a trusted authority. To use it, you have to download the public key of this authority first. When software publishers offer *.sig or *.asc files, they usually explain you how to do that. Then, you can verify the signature of the downloaded file:

Code: Select all

gpg --verify file.sig
Apache has a very nice page about gpg: http://httpd.apache.org/dev/verification.html
Note that I couldn't access apache.org at all while writing this. Google has cached the page in case you can't access it either.
rf
Posts: 30
Joined: Wed Apr 05, 2006 10:16 pm

Postby rf » Wed May 10, 2006 10:42 pm

Thanks for the reply.

Below is what I did and the responses:

rf@P4-3200RF:~$ md5sum -c httpd-2.2.2.tar.bz2.asc
md5sum: no files checked
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
gpg: keyring `/home/rf/.gnupg/secring.gpg' created
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: Can't check signature: public key not found
rf@P4-3200RF:~$ pgp --keyserver pgpkeys.mit.edu --recv-key 42721F00
bash: pgp: command not found
rf@P4-3200RF:~$ gpg --keyserver pgpkeys.mit.edu --recv-key 42721F00
gpg: key 42721F00: duplicated user ID detected - merged
gpg: /home/rf/.gnupg/trustdb.gpg: trustdb created
gpg: key 42721F00: public key "Paul Querna <chip>" imported
gpg: Total number processed: 1
gpg: imported: 1
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: BAD signature from "Paul Querna <chip>"
rf@P4-3200RF:~$ gpg --fingerprint 42721F00
pub 1024D/42721F00 2004-01-17 Paul Querna <chip>
Key fingerprint = 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00
uid Paul Querna <chip>
uid Paul Querna <chip>
uid Paul Querna <pquerna>
sub 2048g/7A2BE310 2004-01-17

The bottom line is - I am still not sure if this all means the downloaded file is OK or not!

When I click on the [PGP] {Md5] links I don't get a downloaded file - just another page on my browser:
Md5 link shows me this:
9c759a9744436de6a6aa2ddbc49d6e81 httpd-2.2.2.tar.bz2
PGP link shows me this:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBESaoJ94h19kJyHwARAn3mAJ4wv+oU/x1jb8dyE7yPLRvWHfZRuwCdE6tn
5GqYf9/xvObtFvg5sLpRJMs=
=h6Al
-----END PGP SIGNATURE-----

Then I can copy either of these two images into a text file - which somehow does not seem to be the right thing to do, and I am not sure what it means or proves!

I was able to see (and print) the Verifying Apache HTTP Server Releases that was helpful but still left me unsure as to whether my download was good or not!

Thanks for your help.

RF
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Thu May 11, 2006 5:43 pm

read the reply fully

first, do not use md5sum on asc files, use md5sum on md5 files (right click, save target as if md5 files are opening in your browser rather than saving to a file)

`md5sum -c httpd-2.2.2.tar.bz2.md5`

`gpg --verify httpd-2.2.2.tar.bz2.asc`

here's an example of creating and checking an md5 file:

Gavin@munky ~
$ md5sum john-1.6.37.tar.gz > john-1.6.37.tar.gz.md5

Gavin@munky ~
$ cat john-1.6.37.tar.gz.md5
9403233b640927295c05b0564ff1f678 *john-1.6.37.tar.gz

Gavin@munky ~
$ md5sum -c john-1.6.37.tar.gz.md5
john-1.6.37.tar.gz: OK
In God we trust,
Everyone else must have an X.509 certificate.
rf
Posts: 30
Joined: Wed Apr 05, 2006 10:16 pm

Postby rf » Thu May 11, 2006 11:09 pm

munkey,

Thank you. Your help is much appreciated.
I have been able to verify the two downloaded files I needed to. This is much appreciated.

My system is not quite as friendly as your is. When I
md5sum -c file.tar.bz2.md5
I get nothing in response.

However if I compare the
cat file.tar.bz2 number with the posted number on the download URL it is the same, so I am confident that the file is OK

Where there is a dm5 link posted - following your advice gave a satisfactory way to compare numbers.

Thank you.

RF :D

Who is online

Users browsing this forum: No registered users and 3 guests