Friday, November 14, 2014

Verifying file signature using GNUgpg

In this post, you will see just how easy it is for file & signature verifications using GNU gpg. A little background;

  • The  GNU PGP implementation has been around for a  decade +
  •  it uses PKI 
  •  keys are retrieved via public key-servers
  • A file signed via a key, can be Digitally verified  for tampering or corruption
  •  it also validates the author is actually the author
This is a how a typical PGP signature file looks;

Typically the  author of the  file, will make the signature publicly available. So by downloading the signature, we can validate the actual datafile that was signed.

When using gpg, and when the key is not on your key-ring, then gpg is smart enough to retrieve the key that's listed in  the  signature file. You can display this action if you use the "-v" verbose switch.

note: if you are on a restricted network or behind a firewall  the port could be blocked for the key-server.

To verify a pgp signature you need the following;

      1: the data to be verified
      2: the signature file
      3: the public-key of the author for the datafile

If any of the three are missing, you can't continue. If one of the three was tampered with, you verification would fail!

Here's an example of a verification process against a linux kernel filename = linux-2.2.0.tar

note: if the file is compressed and ends  with either a gz or bz2 extension, you need to un-compress the data before the verification. Linux Kernel sources are always signed b4 compression btw and I don't think that will ever change.

note: Once the key has been imported, any  other following  verifications would  use the local cached key. If you want to delete the key , use the cli  cmd  gpg --delete-keys  <key id>

So now you see just how easy it is to  verify a signature using gpg. It's so simple, that even a caveman  or monkey can do it.

Now, I will modify the signature to show you how  any corruption or tampering will invalidation the verification. I used  the unix vi cmd to change one character with in the pgp signature file, and now will attempt a new verification.

So with PKI, we have failsafes that if either ;  1> the datafile or 2> signature been tampered with, the verification process would fail. Even if we re-imported the key, and start fresh from the top, the  verification will still fail.

( the modified  PGP signature used for this last sample &  with the "I" on the 1st line change to uppercase )

I hope this  demonstration has been helpful. You can learn more about GNU PGP implementation at the following link;

and about PGP in general here;

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

No comments:

Post a Comment