Verifying the signature of linux kernel using gpg

Digital signatures functions as the electronic equivalent of  handwritten signatures. It can be used to authenticate the source of data as well as verify its identity.

Linux kernel releases are signed by the person who makes the release. This signature helps us in verifying whether the files have been tampered by any intruder. The process of signing and verification uses public-key cryptography.

All Linux kernel releases are cryptographically signed by OpenPGP compliant signatures. PGP signatures would be hard to forge since the attacker requires the private key of the developer who made the release. We can verify the integrity of the downloaded version of kernel using GPG.

Step 1:

Fetch the source code and the corresponding signature key from kernel.org.


$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign

Uncompress the tar file.

unxz linux-3.1.5.tar.xz

Step 2:

Verify the signature of the downloaded kernel

$ gpg --verify linux-3.1.5.tar.sign

Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E
gpg: Can't check signature: public key not found

Step 3:

In order to accomplish our task of verifying, we need to get the public key from PGP Keyserver with the help of RSA key ID that we got 6092693E .

$ gpg --recv-keys 6092693E
gpg: requesting key 6092693E from hkp server keys.gnupg.net
gpg: /home/sowcat/.gnupg/trustdb.gpg: trustdb created
gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

 Step 4:

Now verify the signature again:

$ gpg --verify linux-3.1.5.tar.sign
gpg: Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

The signature seems to be a Good Signature! This means that the public key that we got earlier belongs to the person who made the release.
Instead of gpg: Good signature from “Greg Kroah-Hartman, if it was BAD signature, then:
1) It could be because of incomplete download
2) The downloaded file is not truncated
3) The files might be corrupted

Even though our verification says ‘Good signature’, we can see a warning. This because we did not verify whether the key comes from the person ‘Greg’.
One way of checking is by mailing the people in the list of signature ask them to check if the signature can be trusted. We can see the list of signature by entering the command gpg --list-sigs. Another way is checking with the Kernel web of trust.

This seems to be  a long task to verify the authenticity. So, it is better to ignore the warning and trust the signature.

References: http://www.kernel.org/signature.html

Advertisements

Tagged: , ,

One thought on “Verifying the signature of linux kernel using gpg

  1. moonstone May 18, 2013 at 3:50 am Reply

    I definitely took some brand-new information from
    this. I appreciate you setting aside the time and effort to put this stuff together.
    I have to admit, I most likely spent about three hours on your site.
    Absolutely worth the time, however.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s