dannyman.toldme.com : HOWTO: Verify a PGP Signature

March 30, 2007
FreeBSD, Technical

HOWTO: Verify a PGP Signature

So, assuming you are a SysAdmin, you really want to get a basic understanding of public key cryptography and the rest. But then, there’s a lot of stuff you need to learn and sometimes you just need to apply a patch, and would like some decent assurance that the patch hasn’t been compromised.

Today, I am patching–a few weeks too late–a FreeBSD system to reflect recent legislative changes to Daylight Saving Time. The procedure is very simple, and covered in FreeBSD Security Advisory FreeBSD-EN-07:04.zoneinfo. It starts:

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/EN-07:04/zoneinfo.patch # fetch http://security.FreeBSD.org/patches/EN-07:04/zoneinfo.patch.asc

Alas, here is a quick-and-dirty crib sheet for the “verify the detached PGP signature using your PGP utility” part:

If you don’t already have GPG installed, install it right quick: pkg_add -r gnupg

First, generate a key for yourself: gpg --gen-key
(Accept the reasonable defaults, and give it a decent passphrase.)

Next, visit The PGP Keys appendix to the FreeBSD Handbook and copy the key data for the Security Officer Team into your text buffer. (The stuff from pub 1024D/CA6CDFB2 to -----END PGP PUBLIC KEY BLOCK-----) Invoke gpg --import and paste the key data into your terminal. Press control-D.

Alternatively, you could just suck in all the FreeBSD PGP keys, but that can take a little while:
fetch http://www.freebsd.org/doc/pgpkeyring.txt && gpg --import pgpkeyking.txt

Now, sign the Security Officer Team key with your own key. This means that you trust that the FreeBSD Security Officer Team is who you think it is, and not someone who has compromised the FreeBSD web site. This is the dirtiest part of not being a PGP expert, in which case you might have someone in your key ring who could vouch for the FreeBSD Security Officer Team on your behalf. Anyway: gpg --sign-key security-officer@FreeBSD.org

Now, you’re all set up to verify the zoneinfo signature, and other FreeBSD security patch signatures in the future:

> gpg --verify zoneinfo.patch.asc zoneinfo.patch
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Wed Feb 28 10:36:32 2007 PST using DSA key ID CA6CDFB2
gpg: Good signature from "FreeBSD Security Officer <security-officer@FreeBSD.org>"

Yay! Don’t forget to learn more about PGP . . . until you do, the drill goes:

gpg --gen-key (Only need to do this once …)
gpg --import
gpg --sign-key
gpg --verify (All you’ll need to remember once you’re set up.)

Post a Public Comment

The Rules:

For private messages, e-mail me: dannyman@toldme.com
I will not publish or share your e-mail address.
I will not spam you.
Therefor: no anonymous posts; send me your e-mail address!

Name:		(required)
E-Mail Address:		(required)
Website URL:

. . . comments from new posters will be held for screening.

Danny Howard is 100% responsible for the content on this site, except some of it is stolen.

All rights are reserved, unless otherwise noted. Generally, I'm a BSD guy, so you can assume implicit permission to adapt, modify, and redistribute my intellectual property with appropriate attribution. Except some of this content is itself re-appropriated, so you'd best ask first, especially for commercial use. Thanks!

You can contact me via e-mail: dannyman@toldme.com

Most of http://dannyman.toldme.com/ is powered by WordPress.

If you're hip to RSS and whatnot, you can subscribe to this site.

These links are for dannyman: login AND backlinks

dannyman.toldme.com

HOWTO: Verify a PGP Signature

Read More

Post a Public Comment