Tag Archives: public key

Verify the signature of Linux kernel

When you download Linux kernel (or for that matter any file such as an Ubuntu image), there are high chances that the file may be corrupted. In order to verify that the file is not corrupted is coming from the right source (that is, comes from the person making the release), a signature of the person making the release is provided along with each release. This sign can then be verified to find out if the files have been tampered with. Public key cryptography is used for signing and verification and it is next to impossible to forge the signature (unless of course the person trying to forge, has the private key of the victim whose signature he is trying to forge). The sign can be verified using GnuPG. All you have to do is :

1. Download the linux kernel and the corresponding sign from the person making the release.

savita@Amrita:~$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz

2. Download the corresponding sign for the kernel release.

savita@Amrita:~$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign

3. Unzip the linux kernel.

savita@Amrita:~$ unxz linux-3.1.5.tar.xz

4. Verify the sign.

You will probably get the following output.

gpg: Signature made Fri 09 December 2011 10:46:46 PM EST using RSA key ID 6092693E
gpg: Can't check signature: public key not found

This is because you need to download the public key from PGP server to check the sign.

5. Now download the public key from the PGP server. We get the key ID from above.

savita@Amrita:~$ gpg --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server keys.gnupg.net
gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

6. Verify again using GnuPG.

savita@Amrita:~$ gpg --verify linux-3.1.5.tar.sign

You will get this :

gpg: Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

The “Good”  signature shows that the file has not been tampered with. There are also chances of the signature being “Bad”. This may be due to the fact that the file is corrupted, or it was not downloaded completely. But there is a warning. You still need to verify whether the sign used, still belongs to the person who made the release, that is, in this case, George Kroah-Hartman. This can be done in two ways. Either follow the Web Of Trust used in PGP or go through the list of people who have signed the person’s key (using the command gpg gpg --list-sigs) and contact them to check if they really signed it and someone else did not fake it. You can thereby verify that the signature on the Linux kernel is genuine.

Reference : http://www.kernel.org/signature.html

Advertisements

Gpg key pair generation

A week ago, I learnt how to create a key pair (public key and private key) using gpg. I thought I’d blog about it. This blog post is a tutorial on how to do exactly that. It is extremely simple.

All that you have to do is to open up a terminal and run the command :

savita@Amrita:~$ gpg --gen-key
savita@Amrita:~$ gpg --gen-key
 gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
 Your selection?
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048)
 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
 0 = key does not expire
 <n>  = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
 Key is valid for? (0)
 Key does not expire at all
 Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
 from the Real Name, Comment and Email Address in this form:
 "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:
 Real name: Savita TS
 Email address: savita.seetaraman5@gmail.com
 Comment: Gpg Key-Pair Generation
 You selected this USER-ID:
 "Savita TS (Gpg Key-Pair Generation) <savita.ts@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 You need a Passphrase to protect your secret key.

You now get a pop up asking you to enter the pass phrase. Enter a secure pass.


We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
 the OS a chance to collect more entropy! (Need 118 more bytes)
 .+++++
 .....+++++
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 ..+++++
 +++++
 gpg: key 3D4F13E9 marked as ultimately trusted
 public and secret key created and signed.

gpg: checking the trustdb
 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
 pub   2048R/3D4F13E9 2013-01-17
 Key fingerprint = 7DEF 17A4 D20B E290 BF7D  6D33 D7ED 37EF 3D4F 13E9
 uid                  Savita TS (Gpg Key-Pair Generation) <savita.ts@gmail.com>
 sub   2048R/9646B948 2013-01-17
 

Bingo! You’ve just created your public key. Now you need to export the key. 😀

Exporting the key :


savita@Amrita:~$ gpg --export savita > public_key.gpg

If you open and see this file, you see gibberish. If you want to see the key in ascii format, then all you have to do is to execute the following command. You have to add one more argument, –armor along with it.


savita@Amrita:~$ gpg --armor --export savita > public_key_ascii.gpg

Importing others’ key

If you want to import other people’s public key, this is what you have to do :

savita@Amrita:~$ gpg --import <filename>

where filename is the name of the file that contains the key.
Now we get to the encryption and decryption part.

Encrypting a file using the public key :

You can now encrypt your files using the public key that you just created. If you want to send a message to xyz you first encrypt message (which is a file containing the message that you want to deliver), this is what you do  :

savita@Amrita:~$ gpg --recipient xyz --encrypt message

Decrypting a file using the public key :

Suppose that you receive a message that has been encrypted with the public key of the sender (imagine yourself in the shoes of xyz who has just received the message that you sent earlier) and you want to decrypt it. You do so using your private key. You need to do the following :

savita@Amrita:~$ gpg --decrypt message.asc

The .asc denotes that the contents of the file is in ASCII format. You will now be asked for the passphrase.

savita@Amrita:~$ gpg --decrypt message.asc
You need a passphrase to unlock the secret key for user: "savita (Gpg Key-Pair Generation) "
2048-bit ELG-E key, ID 35C5BCDB, created 2010-01-02 (main key ID 90130E51)

References :
This site helped me out a lot. But for this site, I would not have been able to complete this assignment.