On Sep 25, 2008, at 12:45, Klaus Heinrich Kiwi wrote:
> How can I verify the PGP signature for say, krb5-1.6.3-signed.tar? Are
> there simple steps that I can take to do that?
>
> I'm actually trying to document it for a customer.


Tom Yu's PGP key was used to sign that. His public key should be
available from the PGP key servers.

It depends on the specific PGP software you use, but something like
this for example:

$ tar xvf krb5-1.6.3-signed.tar
krb5-1.6.3.tar.gz
krb5-1.6.3.tar.gz.asc
$ gpg krb5-1.6.3.tar.gz.asc
gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID
F376813D
gpg: Good signature from "Tom Yu "
Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55
24

If the source tar file or signature is modified or corrupted, you'll
get a different message out:

$ echo malware > krb5-1.6.3.tar.gz
$ gpg krb5-1.6.3.tar.gz.asc
gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID
F376813D
gpg: BAD signature from "Tom Yu "
$

So what's to prevent some malware author from creating a key in Tom's
name and signing his own version of the package? Well, nothing; as
usual with PGP, the security depends on the "web of trust" scheme
linking the verifier to Tom. We don't have any mechanism tied in to a
centralized global PKI to verify the integrity of the distribution.

It would be more difficult to duplicate the key ID number and
fingerprint as well, but you still have the question of how to
securely get that info to the customers. Maybe putting it in your
documentation is sufficient?

Ken