hi all, What i'm going to write may be obvious & well-known for many people but some will still find it useful...
The other day, i downloaded the MIT kerberos 1.5 and wanted to verify the authenticity and the integrity of the tarball. After hours of searching & smashing my head with many obstacles, although i got the proper way to do this, but what i observe is the MIT-kerberos home web-page do not talk about this issue, which was disheartening.:-( Therefore, I'll request the MIT Kerberos guys to put up some guidelines on how to verify the tarball by using the MIT PGP public key. For example, here are my learnings: *How to verify the MIT kerberos tarball by using MIT PGP public key *Consider this: You have downloaded any tar ball from MIT web site and now you want to check the authenticity and integrity of the tarball. What do you do????? Well, don't scratch your head much. Simply follow this guideline: 1.) Get a gpg command line tool to create/verify PGP-signed contents for your system. (http://www.gnupg.org) 2.) When successfully installed, try to verify your tarball by running this: D:\MIT Kerberos>gpg - -verify <sign_file> <tarball_name> At first run, this will give an error (see example that follows) E.g. D:\MIT Kerberos>gpg - -verify krb5-1.5.tar.gz.asc krb5-1.5.tar.gz gpg: Signature made 07/01/06 10:46:09 using RSA key *ID F376813D *gpg: Can't check signature: public key not found 3.) This means, in order to verify any tarball, all u need is the PGP public key of the person who signed that tarball. So either we can go use our GPG tool to get the public key OR go to (http://pgp.mit.edu). Here, you can search the public key you want. To search, use key ID of the key, displayed in the above error message. *NOTE*:You can also use the GnuPG tool to import key directly from key server without manually searching, copying & then adding key by yourself. For this use the following command, D:\MIT Kerberos>gpg - -keyserver pgp.mit.edu - -recv-keys 0x F376813D 4.) If you choose to search on web site, the search will show the listing (type, size, date, userid) of the key with the specified keyID. Click on the keyID hyperlink to get the public key. 5.) Clicking on the hypertext link will display an ASCII-armored version of the public key. So select the text block under the following headings (including the headings!) -----BEGIN PGP PUBLIC KEY BLOCK----- .... .... .... -----END PGP PUBLIC KEY BLOCK----- 6.) Save the selection in a new text file with extension ".asc"(because the key is ASCII armored) 7.) Now you have the public key of the person who signed your tarball. To add this key to your public key ring, do D:\MIT Kerberos>gpg - -import <key_file> E.g. D:\MIT Kerberos>gpg - -import mit_pub_key_of_tom_yu.asc gpg: key F376813D: duplicated user ID detected - merged gpg: key F376813D: public key "Tom Yu <[EMAIL PROTECTED]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u 8.) Once again, run verification command. Now it will try to verify the tarball. E.g. D:\MIT Kerberos\krb5-1.5-signed>gpg - -verify krb5-1.5.tar.gz.asc krb5-1.5.tar.gz gpg: Signature made 07/01/06 10:46:09 using RSA key ID F376813D gpg: Good signature from "Tom Yu <[EMAIL PROTECTED]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24 (NOTE: Be ready to see some warnings regarding no certification and/or no belonging of the key. This is acceptable because you did not created a trust path to the MIT PGP key) 9.) Once your tarball has been verified, you are free to use this. HAPPY UNTARING!!!!!!!!!! Thanx in advance... U guys really rox..... -Vipin Rathor ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
