[How-To] Using GnuPG to verify data using detached signatures

related

3 minute read

GnuPG logo

Many software downloads come with a signature file. You normally need to download this signature file separately. Signatures are a great way to let people know that you are the person / company that is making the software available, and that no one else has changed the data since its release.

Tails linux ISO and signature download links with SHA256 checksum
Fig 1: Tails ISO and signature file download
We are going to use Tails Linux as an example. On their download page, you will find a link to download the Tails ISO image. This is the data we are interested in running. Think of it like the main program that we want to install / use.

Next, we are given a link to the "Tails 1.4 signature". This is signature file that the distributor created. With this signature we can verify that the Tails ISO Image has not been modified by anyone else.

Tails also provides a "SHA256 Checksum". This is a less-rigorous way than signatures to verify the data has not changed.

First, download the ISO file AND the signature file. The signature file will almost always end with ".sig". Make sure both files are in the same directory.


Once you had both files, open the command line / terminal and navigate to that directory. Next we need to use gpg to verify the signature. If we try to verify now, we may get the following results:

gpg2 --verify tails-i386-1.4.iso.sig gpg: assuming signed data in 'tails-i386-1.4.iso'
gpg: Signature made Tue 12 May 2015 02:56:27 AM KST using RSA key ID 752A3DB6
gpg: Can't check signature: No public key

In this case, we also need to get the public key of the person that created the signature. From the tails website, I find the ID of their signing key, so now we need to import.

gpg2 --recv-keys A490D0F4D311A4153E2BB7CADBB802B258ACD84F
gpg: key 58ACD84F: public key "Tails developers (offline long-term identity key) " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2017-01-09
gpg: Total number processed: 1
gpg: imported: 1

Make sure we have the right key:

gpg2 --list-keys
pub rsa4096/58ACD84F 2015-01-18 [expires: 2016-01-11]
uid [ unknown] Tails developers (offline long-term identity key)
sub rsa4096/752A3DB6 2015-01-18 [expires: 2016-01-11]
sub rsa4096/2F699C56 2015-01-18 [expires: 2016-01-11]

Now verify the signature again:

gpg2 --verify tails-i386-1.4.iso.sig gpg: assuming signed data in 'tails-i386-1.4.iso'
gpg: Signature made Tue 12 May 2015 02:56:27 AM KST using RSA key ID 752A3DB6
gpg: Good signature from "Tails developers (offline long-term identity key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F
Subkey fingerprint: BA2C 222F 44AC 00ED 9899 3893 98FE C6BC 752A 3DB6

Here we can see when the signature was made, and the ID of that key. Next we see "Good signature" which means that the signature does verify the data.

Remember, we were given the SHA256 value of the ISO file. Get the SHA256 hash with the following command (linux):

sha256sum tails-i386-1.4.iso
339c8712768c831e59c4b1523002b83ccb98a4fe62f6a221fee3a15e779ca65d tails-i386-1.4.iso

Now can can compare this hash value to the one on the website, and we see that they are the same.

If I can just check the hash value, why verify with a signature?

Hash values do allow you to make sure that the data has not changed, however, there are a number of weaknesses. For example, someone intercepting your network traffic could deliver the web page to you with an altered ISO link AND an altered hash value on the page. This means that the hash value will be valid, but the source of the information cannot be trusted.

Signatures help this in a number of ways. Because the signature is generated by a developer's private key, and we are verifying it with their public key, it is nearly impossible for someone to pretend to be the developer. Also, since we did not download the public key from the webpage, but looked it up on a different server, it is slightly more difficult for someone to trick us into download the wrong key. Further, we can try to use the Web of Trust to make sure we are getting the right key. In our case, we can see who has signed this key by going to a keyserver checking.

Leave a Comment