newsNews: Article: How can I certify or check the authenticity of stored files ?

Show feedback again
Latest News
Gna! closing soon posted by beuc, Tue Jan 31 22:31:06 2017 - 5 replies
mail subsystem upgraded posted by beuc, Sat May 23 18:17:18 2015 - 1 reply
dl/home/cvs/svn/ upgraded to debian8 posted by beuc, Thu May 21 22:12:23 2015 - 2 replies SSL certificate renewed posted by zerodeux, Thu Apr 24 07:13:06 2014 - 4 replies
Heartbleed status and measures posted by beuc, Wed Apr 9 09:47:29 2014 - 2 replies
[125 news in archive]

Article: How can I certify or check the authenticity of stored files ?

Item posted by Mathieu Roy <yeupou> on Mon May 10 10:27:34 2004.

How can I certify or check the authenticity of stored files ?

To check the authenticity of a file, one of the best tools currently available is GPG. We will not describe here what is GnuPG and how it works: if you are looking for that information, check the GnuPG documentation.

    • How can I check the authenticity of a file using GnuPG [for everybody]

You can use GnuPG to check the authenticity of a file only if this file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The signature is usually named after the file with a .sig. For instance, at , you can download savane-1.0.2.tar.gz (the file) and savane-1.0.2.tar.gz.sig (the signature).

Use GnuPG to compare the files:
gpg --verify savane-1.0.2.tar.gz.sig

If it says that the relevant public key is not found, you must import the public key of the person that signed the file. We recommend that developers give this information in their download area. For instance, this is mentioned at , in a section called GPG Signature. You can search and import a key by typing:
gpg --search-keys name_of_the_person_that_signed_the_file

If it says the signature is correct, the authenticity of the file is confirmed. Indeed, the signature should belong to a member of the project.

    • How can I sign a file using GnuPG [for developers]

Users can only check authenticity of files if these files are signed by their(s) author(s). So it is important that developers sign their package, especially software release tarballs.

Obviously, you need our own gpg key to sign files. We will not describe here how to create a such key: please read the GnuPG documentation.

The best is to create a "detached" signature (a signature as separate file, not appended to the original file). You can do that by typing:
gpg --detach myfile

When it is done, you can upload both the file and the signature.

You should make sure that your public key is available to users by sending it to key server:
gpg --send-key

You should make sure users can import with ease your gpg-key on the key server. To do so, you can mention an accurate search string in a file called README.html, stored in the same directory than the signed files, like

(This article has been added as FAQ entry)


Maybe not so clear but: (posted by Mathieu Roy, Fri May 28 14:38:20 2004)

Beware, a gpg-signature of a file just proves it has been signed with a given key.

It is important to be sure that this key is owned by who you are thinking it is. This kind of warantees comes with the network of signature (no, I will not detail that here, check gpg doc, it will explain it to you more clearly than I possibly could).

Without this key network, it is still usefull to have gpg-key files signed: you will notice if a package as not been made by the usual lad for a specific project, so you'll know if there is something unusual.

[ Reply ]

GPG fingerprints (posted by Dylan William Hardison, Mon May 10 02:40:39 2004)

It can be quite useful to put your
GPG fingerprint in your ~/.signature file,
having it propagate to all the mailing lists you frequent.

[ Reply ]



Start a New Thread:

You could post if you were logged in
Show feedback again

Back to the top

Powered by Savane 3.1-cleanup