GPG – How to Verify a File Using an ASC Signature

checksumdigital-signaturesgpgpgp

As an example, this project offers an *.asc file with a PGP signature to verify the contents of the download (as opposed to a checksum, you can see the empty column): https://ossec.github.io/downloads.html

How would I use this file? I tried gpg --verify and other variants, but it seems to be matching the name up to the file, however the filename as it is downloaded is not exactly the same… not sure how it is supposed to work.

Best Answer

Download the key file:

wget https://ossec.github.io/files/OSSEC-ARCHIVE-KEY.asc

Inspect the key file to confirm it has EE1B0E6B2D8387B7 as its keyid.

gpg --keyid-format long --list-options show-keyring OSSEC-ARCHIVE-KEY.asc

If correct, then import the key:

gpg --import OSSEC-ARCHIVE-KEY.asc

Download the software package

wget https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz

Download the signature file

https://github.com/ossec/ossec-hids/releases/download/2.9.3/ossec-hids-2.9.3.tar.gz.asc

Verify it

gpg --verify ossec-hids-2.9.3.tar.gz.asc 2.9.3.tar.gz

Output

gpg: Signature made Sat Dec 23 16:13:01 2017 UTC
gpg:                using RSA key EE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <scott@atomicorp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0  5FAD EE1B 0E6B 2D83 87B7

Related Solutions

Ssh – Using PGP keys for SSH

There are several ways, which may or may not work:

MonkeySphere
openssh-gpg, a patch for OpenSSH
SSH.com has built-in support
gpg2 on Debian comes with a gpgkey2ssh tool, and gpg-agent can act as a ssh agent too, but I couldn't figure out how to actually make ssh use the key for authentication.

Validating signature trust with gpg

This is what ended up with:

#!/bin/sh

tmpfile=$(mktemp gpgverifyXXXXXX)
trap "rm -f $tmpfile" EXIT

gpg --status-fd 3 --verify "$@" 3> $tmpfile || exit 1
egrep -q '^\[GNUPG:] TRUST_(ULTIMATE|FULLY)' $tmpfile

This looks for the trust information that gpg outputs on --status-fd. The script exits with an error in the presence of an untrusted signature (or invalid/no signature):

$ sh checksig sample.sh.bad 
gpg: Signature made Mon 24 Jun 2013 11:42:58 AM EDT using RSA key ID DCD5C569
gpg: Good signature from "Test User <testuser@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6FCD 3CF0 8BBC AD50 662E  5070 E33E D53C DCD5 C569
$ echo $?
1

The script exits with no error in the presence of a valid, trusted signature:

$ sh checksig sample.sh.good
gpg: Signature made Mon 24 Jun 2013 11:38:49 AM EDT using RSA key ID 5C2864A8
gpg: Good signature from "Lars Kellogg-Stedman <...>"
$ echo $?
0

Best Answer

Related Solutions

Ssh – Using PGP keys for SSH

Validating signature trust with gpg

Related Topic