Only the paranoid survive. (Variously attributed to Andy Grove and Bill Gates.)
An increasing amount of Free Software is signed with PGP (OpenPGP, GnuPG) keys, and some software installation tools (notably ASDF-Install) will automatically verify such signatures upon installation.
For such a scheme to provide any semblance of security, it is important that you confirm that the key used for signing is valid, i.e. belongs to the person it claims it belongs to. For example, in order to safely install Cl-Yacc using ASDF-Install, you will need to confirm that the key used for signing cl-yacc-0.2.tar.gz does indeed belong to me.
The “proper” way of validating a PGP key consists in establishing an uninterrupted “chain of trust” between you and the key owner. In situations where you do not personally know the key owner, however, this can be difficult or impossibe; this document shows how to establish a weaker relation with a signer without significantly impairing security.
I assume that you are using GnuPG, which is Free Software. I also assume that you have set up a keyserver to use with GnuPG — if you haven't, just insert the following line in ~/.gnupg/gnupg.conf:
A piece of downloadable software usually comes in the form of a tarball somewhere on the web; for example, CL-Yacc 0.2 is distributed as the tarball
Such a tarball is signed if it is accompanied with a signature file with the extension .asc or sometimes .sig. For example, Cl-Yacc 0.2 is accompanied with the signature file
A PGP key pair is a cryptographic data structure that can be used for signing e-mails and software, and for certifying other keys. In PKI terms, a key pair can serve as both a certificate and a certifying authority.
A key pair consists of a public key, which is published as widely as possible, and a secret key, which is kept private.
When a public key is valid, our copy of GnuPG will accept signatures made with this key pair; in other words, it will use this key as a certificate. When a public key is both valid and trusted, our copy of GnuPG will consider keys signed by that key as valid; in other words, it will use this key as a certifying authority.
This summary is very much simplified; for more information about the so-called PGP web of trust in its full glory, please see The Gnu Privacy Handbook.
Even if you have no intention to use PGP for anything except verifying distributed software, you will need to have a public/private key pair. The private key will be used to bootstrap GnuPG by locally signing other people's signatures — making a note to GnuPG that a given key is valid.
The process of creating a public/private key pair in GnuPG is described in The Gnu Privacy Handbook. This only needs to be done once.
You will need to know the key id of the key you want to confirm. If you are using ASDF-Install, ASDF-Install will complain about an unknown key, and tell you the ID. Otherwise, download both the tarball and the signature file, and pass the signature file to GnuPG:
GnuPG will complain about an unknown key, and tell you the ID. At that point, do
You now need to confirm the key from an independent source i.e. neither the signature file nor the keyserver.
Armed with the ID of the key you are interested in, check the key on on your favourite keyserver interface (choose “verbose index”). You will find all the uids (e-mail addresses) of the person who signed the key, as well as the people who have signed that key.
The easy case is when there is a reliable source for confirming the key you are interested in itself.
If the key has a uid ending in @debian.org, you can confirm it with the Debian developers directory. Typing the developer's name in the directory's form will give you the key fingerprint, a long string of hex digits. Ask GnuPG to compute the fingerprint of the key you obtained from the keyserver,
and carefully compare the local fingerprint to the one you obtained from the Debian directory; if they match, it is extremely unlikely that the key is invalid.
If the key doesn't have a @debian.org uid, the owner might have put a key fingerprint on his homepage (for example, my key's fingerprint is at the bottom of my software page. While less secure than a well-known server such as db.debian.org, this may be enough for you to confirm that key.
Finally, the owner may have put the key itself on his home page. In that case, download the key, and do
If the key is valid, gpg should say something like
Once you have confirmed the key's validity, you should mark it as valid; this is called locally signing the key:
Do not use the sign command, unless you fully understand the implications.
If you have no reliable independent means of confirming the key, you will need to confirm some other key that has signed the key you are interested in. Go back to the key server interface, and look at the keys that have signed our key; if any of those is easy to confirm (for example by virtue of having a @debian.org uid), locally sign that key instead.
You should now tell GnuPG that you are willing to trust signatures made by the key you have just locally signed: in the gpg --edit interface, type trust and, when prompted, choose “trust this key fully”. GnuPG will then automatically consider all keys signed by the “fully trusted” key as valid.
If everything else fails, you may ask the signer by e-mail to confirm the key's fingerprint. While e-mail is insecure, you should be okay unless an attacker manages to subvert the DNS infrastructure at just the right time.
In order to validate my key, you could simply import it from the keyserver:
Since I happen to be a trustworthy person (it's written on the Web, so it must be true), you might as well mark my key as trusted:
A safer method is to notice that my key is signed by an @debian.org key:
Go to the Debian developers directory, request Samuel Mimram's fingerprint, and compare it carefully with the one computed locally:
If the fingerprints match, it should be reasonable to validate Mimram's key and mark it as trusted (thus making him into a certification authority):
At this point, GPG should have automatically marked my key as valid:
Edi Weitz is the author of a lot of useful ASDF-Installable software. Unfortunately, his key is not signed by any easy-to-validate key.
The simple solution would be to get his key from his web site. A safer solution would be to note that his key is signed by Christophe Rhodes' key, which in turn is signed by Martin Michlmayr's key, which is in the Debian directory.
Thus, by checking Martin's key against the Debian direcotory, then marking both Martin's and Christophe's keys as trusted, we get an uninterrupted chain of trust from the Debian directory to Edi Weitz.
If you have followed the above instructions, you should be able to do
and have GnuPG confirm the signature. This, however, only verifies that it is exceedingly likely that the signature was made by the person who claims he made it; it does not say anything about how trustworthy the signer himself is.
Unless you already know the signer, you should work out for yourself whether that person is trustworthy. You could for example use a web search engine to see what kind of activities that person has been involed in; if everything else fails, ask about that person on comp.lang.lisp or a suitable newsgroup.
Back to my software page.