Could not find pgp key for signed downloaded software
Facts - Other software technologies
Saturday, 07 August 2010 07:47

Recently I downloaded software that was signed with a pgp key. I always validate the signature of downloaded software to prevent malware being installed.

To do this you can use Gnu PGP (gpg), which can be invoked from a bash shell. First you need to import the key and then you need to verify the signature. Example:

bash-3.2$ gpg --import snakeyaml.txt
gpg: key CFCF8216: public key "A... S... (SnakeYAML) <p..._at_gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
bash-3.2$ gpg --verify snakeyaml-1.6.jar.asc  snakeyaml-1.6.jar
gpg: Signature made 03/08/10 15:40:28 using DSA key ID CFCF8216
gpg: Good signature from "A... S... (SnakeYAML) <p..._at_gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BB2C 3C76 3F37 A1F1 5A2E  DE90 99EA EDDE CFCF 8216
bash-3.2$ 

In this case the problem was that I could not find the PGP public key. So I logged an issue and the author of the downloaded software told me that this key can be found at http://pgp.mit.edu/.

At this server everybody can upload keys. The server is searchable so it is easy to find someone's key.

Apart from using this key for verifying message it can also be used to send encrypted messages, for eample by email, to anyone who has uploaded its key to this server. Just search for the public key on this server and then encrypt the message using this key. The only disadvantage is that anyone uploading a public key has to expose its email address, which can attract spam. This is necessary since the whole idea of verifying signature is that the identity of the author of software can be verified.