Tag Archives: Linux kernel

Verify the signature of Linux kernel

When you download Linux kernel (or for that matter any file such as an Ubuntu image), there are high chances that the file may be corrupted. In order to verify that the file is not corrupted is coming from the right source (that is, comes from the person making the release), a signature of the person making the release is provided along with each release. This sign can then be verified to find out if the files have been tampered with. Public key cryptography is used for signing and verification and it is next to impossible to forge the signature (unless of course the person trying to forge, has the private key of the victim whose signature he is trying to forge). The sign can be verified using GnuPG. All you have to do is :

1. Download the linux kernel and the corresponding sign from the person making the release.

savita@Amrita:~$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz

2. Download the corresponding sign for the kernel release.

savita@Amrita:~$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign

3. Unzip the linux kernel.

savita@Amrita:~$ unxz linux-3.1.5.tar.xz

4. Verify the sign.

You will probably get the following output.

gpg: Signature made Fri 09 December 2011 10:46:46 PM EST using RSA key ID 6092693E
gpg: Can't check signature: public key not found

This is because you need to download the public key from PGP server to check the sign.

5. Now download the public key from the PGP server. We get the key ID from above.

savita@Amrita:~$ gpg --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server keys.gnupg.net
gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

6. Verify again using GnuPG.

savita@Amrita:~$ gpg --verify linux-3.1.5.tar.sign

You will get this :

gpg: Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

The “Good”  signature shows that the file has not been tampered with. There are also chances of the signature being “Bad”. This may be due to the fact that the file is corrupted, or it was not downloaded completely. But there is a warning. You still need to verify whether the sign used, still belongs to the person who made the release, that is, in this case, George Kroah-Hartman. This can be done in two ways. Either follow the Web Of Trust used in PGP or go through the list of people who have signed the person’s key (using the command gpg gpg --list-sigs) and contact them to check if they really signed it and someone else did not fake it. You can thereby verify that the signature on the Linux kernel is genuine.

Reference : http://www.kernel.org/signature.html