newsNews: Article: How can I certify or check the authenticity of stored files ?

 
 
Show feedback again
Latest News
Heartbleed status and measures posted by beuc, Wed 09 Apr 2014 09:47:29 AM UTC - 0 replies
mail subsystem automatically reinstalled posted by beuc, Sat 08 Mar 2014 11:02:17 PM UTC - 0 replies
Reboot posted by beuc, Tue 04 Mar 2014 10:14:15 PM UTC - 2 replies
download+homepage subsystem automatically reinstalled posted by beuc, Sun 02 Mar 2014 09:53:20 PM UTC - 8 replies
svn+cvs subsystem automatically reinstalled posted by beuc, Sat 01 Mar 2014 04:46:40 PM UTC - 0 replies
[121 news in archive]

Article: How can I certify or check the authenticity of stored files ?

Item posted by Mathieu Roy <yeupou> on Mon 10 May 2004 10:27:34 AM UTC.

How can I certify or check the authenticity of stored files ?

To check the authenticity of a file, one of the best tools currently available is GPG. We will not describe here what is GnuPG and how it works: if you are looking for that information, check the GnuPG documentation.

    • How can I check the authenticity of a file using GnuPG [for everybody]

You can use GnuPG to check the authenticity of a file only if this file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The signature is usually named after the file with a .sig. For instance, at http://download.gna.org/savane , you can download savane-1.0.2.tar.gz (the file) and savane-1.0.2.tar.gz.sig (the signature).

Use GnuPG to compare the files:
gpg --verify savane-1.0.2.tar.gz.sig

If it says that the relevant public key is not found, you must import the public key of the person that signed the file. We recommend that developers give this information in their download area. For instance, this is mentioned at http://download.gna.org/savane , in a section called GPG Signature. You can search and import a key by typing:
gpg --search-keys name_of_the_person_that_signed_the_file

If it says the signature is correct, the authenticity of the file is confirmed. Indeed, the signature should belong to a member of the project.

    • How can I sign a file using GnuPG [for developers]

Users can only check authenticity of files if these files are signed by their(s) author(s). So it is important that developers sign their package, especially software release tarballs.

Obviously, you need our own gpg key to sign files. We will not describe here how to create a such key: please read the GnuPG documentation.

The best is to create a "detached" signature (a signature as separate file, not appended to the original file). You can do that by typing:
gpg --detach myfile

When it is done, you can upload both the file and the signature.

You should make sure that your public key is available to users by sending it to key server:
gpg --send-key

You should make sure users can import with ease your gpg-key on the key server. To do so, you can mention an accurate search string in a file called README.html, stored in the same directory than the signed files, like http://download.gna.org/savane/README.html

(This article has been added as FAQ entry)

Comments:

Message: 126
GPG fingerprints (posted by dylanwh, Mon 10 May 2004 02:40:39 AM UTC)

It can be quite useful to put your
GPG fingerprint in your ~/.signature file,
having it propagate to all the mailing lists you frequent.

Thread Author Date
GPG fingerprintsdylanwhMon 10 May 2004 02:40:39 AM UTC

 

Post a followup to this message

You could post if you were logged in
Show feedback again

Back to the top


Powered by Savane 3.1-cleanup