Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 14:39 Thomas Schmitt wrote: > Hi, Thanks, Thomas. I did get the signers key fingeprints from their personal github pages. I would go the full security route if it were only my use I'm concerned with, but I'm working on a Raku module for others and I don't want them to be held up by having to fumble with key trust before at least downloading the files with a first order check with data I can provide. I'll make sure to document exactly what I'm providing. Best regards, -Tom
Re: Need help with PGP signature verification
"Thomas Schmitt" wrote: > Hi, > > Tom Browder wrote: > > I'm willing to trust published PGP key fingerprints for signers of > > Rakudo downloadable files. > > Do i get it right that you talk about https://rakudo.org/downloads ? > > > Question: How can I get the fingerprint from the downloads? > > The products I download are (1) the file of interest, (2) a PGP > > signed checksums file with various shaX hashes for the file, and > > (3) a separate file containing a PGP signature. > > The "Verify" button at above web page leads to > https://rakudo.org/downloads/verifying > which explains how to use sha256 and gpg2 for verification. > Most importantly it lists the fingerprints of the four "Keys of the > releasers". If gpg2 --verify reports any other fingerprint, then > the .asc file cannot be trusted. > > (It is not overly trustworthy that fingerprints and the signed files > are offered on the same web site. Once the site is compromised, both > can be manipulated by the attacker.) That's why the page suggests that the developers' also list their fingerprints on their github pages, I suspect. Which they do.
Re: Need help with PGP signature verification
Hi, Tom Browder wrote: > I found a usable answer. Run "gpg file.asc" and the output shows the two > fingerprints: the primary key fingerprint and the subkey fingerprint. Wow, that's surprising. But indeed the man page says: COMMANDS ... gpg may be run with no commands, in which case it will perform a rea‐ sonable action depending on the type of file it is given as input (an encrypted message is decrypted, a signature is verified, a file con‐ taining keys is listed). Have a nice day :) Thomas
Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 05:13 Tom Browder wrote: > On Sun, Oct 8, 2023 at 3:29 AM DdB > wrote: > > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > > I'm willing to trust published PGP key fingerprints for signers of > > > Rakudo downloadable files. > > > Question: How can I get the fingerprint from the downloads? I found a usable answer. Run "gpg file.asc" and the output shows the two fingerprints: the primary key fingerprint and the subkey fingerprint. I wish there was a PGP cookbook around somewhere. Thanks, all. -Tom
Re: Need help with PGP signature verification
Hi, maybe gpg --keyid-format long --verify signature_file.asc /some/dummy/file this gives me the last 16 characters of the fingerprint. Like: gpg:using key E9CBDFC0ABC0A854 with a matching payload file i get something like: Primary key fingerprint: 44BC 9FD0 D688 EB00 7C4D D029 E9CB DFC0 ABC0 A854 Have a nice day :) Thomas
Re: Need help with PGP signature verification
On Oct 08, 2023, Tom Browder wrote: > On Sun, Oct 8, 2023 at 3:29 AM DdB > wrote: > > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > > I'm willing to trust published PGP key fingerprints for signers of > > > Rakudo downloadable files. > > > Question: How can I get the fingerprint from the downloads? > > There is more than just one way to archieve this, first result from > > I should have been more specific. I have the following: > > -BEGIN PGP SIGNATURE- > > iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84 > a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR > 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM= > =mNqK > -END PGP SIGNATURE- > > I need the fingerprint from that to compare with the fingerprints I > know from Github to see if it's from the same key. No, you just need the key(s) from the developer(s). Assuming you've not accidentally tampered with the files, you'll be able to verify this signature with a command like "gpg --verify shasum.txt.gpg shasum.txt". You'll get a message to the effect of Signature made [some-date-here] using RSA Key [fingerprint-here] Good signature from "Some Person's GPG Key Name" NOTE -- you MAY also receive some lines to the effect of WARNING: This key is not trusted, the authenticity of the signature cannot be verified. As with checking a Debian ISO (or other Linux distro that uses this style of verification), this is nothing to be worried about, it's just GPG informing you that it doesn't have any information as to whether you actually "trust" the key (either through you explicitly signing / trusting the key, or trust being derived through the GPG Web of Trust). It's roughly the GPG equivalent of a web browser going "WARNING - Self Signed Certificate". Anyway, once you're done with this; then you know the sha256 checksum file is the one the developers intended you to get; and you can use it to check the *iso file. Probably something like "sha256sum --ignore-missing -c sha256sum.txt" HTH :) -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860 signature.asc Description: PGP signature
Re: Need help with PGP signature verification
On Sun, Oct 8, 2023 at 3:29 AM DdB wrote: > Am 08.10.2023 um 01:16 schrieb Tom Browder: > > I'm willing to trust published PGP key fingerprints for signers of > > Rakudo downloadable files. > > Question: How can I get the fingerprint from the downloads? > There is more than just one way to archieve this, first result from I should have been more specific. I have the following: -BEGIN PGP SIGNATURE- iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84 a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM= =mNqK -END PGP SIGNATURE- I need the fingerprint from that to compare with the fingerprints I know from Github to see if it's from the same key. I think using openssl might be the easiest, but all the tools seem to have a huge number of options and a vocabulary that's very malleable. Thanks. -Tom
Re: Need help with PGP signature verification
Hi, Tom Browder wrote: > I'm willing to trust published PGP key fingerprints for signers of Rakudo > downloadable files. Do i get it right that you talk about https://rakudo.org/downloads ? > Question: How can I get the fingerprint from the downloads? > The products I download are (1) the file of interest, (2) a PGP signed > checksums file with various shaX hashes for the file, and (3) a separate > file containing a PGP signature. The "Verify" button at above web page leads to https://rakudo.org/downloads/verifying which explains how to use sha256 and gpg2 for verification. Most importantly it lists the fingerprints of the four "Keys of the releasers". If gpg2 --verify reports any other fingerprint, then the .asc file cannot be trusted. (It is not overly trustworthy that fingerprints and the signed files are offered on the same web site. Once the site is compromised, both can be manipulated by the attacker.) Have a nice day :) Thomas
Re: Need help with PGP signature verification
Am 08.10.2023 um 01:16 schrieb Tom Browder: > I'm willing to trust published PGP key fingerprints for signers of > Rakudo downloadable files. > > Question: How can I get the fingerprint from the downloads? > > The products I download are (1) the file of interest, (2) a PGP signed > checksums file with various shaX hashes for the file, and (3) a separate > file containing a PGP signature. > > Thanks so much. > > -Tom > > > There is more than just one way to archieve this, first result from G**-search returns: https://superuser.com/questions/1297670/how-do-i-check-gpg-signature-given-only-the-fingerprint-and-key-id which also contains security related warnings and hints. HTH, DdB
Need help with PGP signature verification
I'm willing to trust published PGP key fingerprints for signers of Rakudo downloadable files. Question: How can I get the fingerprint from the downloads? The products I download are (1) the file of interest, (2) a PGP signed checksums file with various shaX hashes for the file, and (3) a separate file containing a PGP signature. Thanks so much. -Tom