FreeBSD, Technical

HOWTO: Verify a PGP Signature

So, assuming you are a SysAdmin, you really want to get a basic understanding of public key cryptography and the rest. But then, there’s a lot of stuff you need to learn and sometimes you just need to apply a patch, and would like some decent assurance that the patch hasn’t been compromised.

Today, I am patching–a few weeks too late–a FreeBSD system to reflect recent legislative changes to Daylight Saving Time. The procedure is very simple, and covered in FreeBSD Security Advisory FreeBSD-EN-07:04.zoneinfo. It starts:

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/EN-07:04/zoneinfo.patch
# fetch http://security.FreeBSD.org/patches/EN-07:04/zoneinfo.patch.asc

Alas, here is a quick-and-dirty crib sheet for the “verify the detached PGP signature using your PGP utility” part:

If you don’t already have GPG installed, install it right quick: pkg_add -r gnupg

First, generate a key for yourself: gpg --gen-key
(Accept the reasonable defaults, and give it a decent passphrase.)

Next, visit The PGP Keys appendix to the FreeBSD Handbook and copy the key data for the Security Officer Team into your text buffer. (The stuff from pub 1024D/CA6CDFB2 to -----END PGP PUBLIC KEY BLOCK-----) Invoke gpg --import and paste the key data into your terminal. Press control-D.

Alternatively, you could just suck in all the FreeBSD PGP keys, but that can take a little while:
fetch http://www.freebsd.org/doc/pgpkeyring.txt && gpg --import pgpkeyking.txt

Now, sign the Security Officer Team key with your own key. This means that you trust that the FreeBSD Security Officer Team is who you think it is, and not someone who has compromised the FreeBSD web site. This is the dirtiest part of not being a PGP expert, in which case you might have someone in your key ring who could vouch for the FreeBSD Security Officer Team on your behalf. Anyway: gpg --sign-key security-officer@FreeBSD.org

Now, you’re all set up to verify the zoneinfo signature, and other FreeBSD security patch signatures in the future:

> gpg --verify zoneinfo.patch.asc zoneinfo.patch
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Wed Feb 28 10:36:32 2007 PST using DSA key ID CA6CDFB2
gpg: Good signature from "FreeBSD Security Officer <security-officer@FreeBSD.org>"

Yay! Don’t forget to learn more about PGP . . . until you do, the drill goes:

gpg --gen-key (Only need to do this once …)
gpg --import
gpg --sign-key
gpg --verify (All you’ll need to remember once you’re set up.)

Read More

Categories: FreeBSD, Technical

  • Day12234

    The problem with this instruction set is that the commands only work with GnuPG (gpg) – not with pgp.