Monday, February 27, 2012

Verifying signatures using GPG or PGP


GPG - GNU Privacy Guard
GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories.

installing a gpg key. GPG is compatible with pgp ( Pretty good privacy). So you can install pgp key aslo.
gpg --import name.gpg

[root@work2 src]# gpg --import sendmail2011.asc
gpg: key A97884B0: public key "Sendmail Signing Key/2011 <sendmail@Sendmail.ORG>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

Listing the installed gpg keys. This will list all the GPG/PGP keys currently installed on your system.
gpg --list-keys

[root@work2 src]# gpg --list-keys
pub   2048R/CEEEF43B 2011-12-14
uid                  Sendmail Signing Key/2012 <sendmail@Sendmail.ORG>
sub   2048R/1998F74E 2011-12-14

pub   2048R/A97884B0 2011-01-04
uid                  Sendmail Signing Key/2011 <sendmail@Sendmail.ORG>
sub   2048R/620439A5 2011-01-04

Verifying a package. Now verifying the signature using the signature file downloaded against the key installed.
gpg --verify name.x.x.x.sig name.x.x.x.tar.gz

[root@work2 src]# gpg --verify sendmail.8.14.5.tar.gz.sig sendmail.8.14.5.tar.gz
gpg: Signature made Mon 16 May 2011 09:40:21 AM IST using RSA key ID A97884B0
gpg: Good signature from "Sendmail Signing Key/2011 <sendmail@Sendmail.ORG>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5872 6218 A913 400D E660  3601 39A4 C77D A978 84B0
[root@work2 src]#

No comments:

Post a Comment

Be nice. That's all.