Digital signatures functions as the electronic equivalent of handwritten signatures. It can be used to authenticate the source of data as well as verify its identity.
Linux kernel releases are signed by the person who makes the release. This signature helps us in verifying whether the files have been tampered by any intruder. The process of signing and verification uses public-key cryptography.
All Linux kernel releases are cryptographically signed by OpenPGP compliant signatures. PGP signatures would be hard to forge since the attacker requires the private key of the developer who made the release. We can verify the integrity of the downloaded version of kernel using GPG.
Fetch the source code and the corresponding signature key from kernel.org.
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.xz $ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.sign
Uncompress the tar file.
Verify the signature of the downloaded kernel
$ gpg --verify linux-3.1.5.tar.sign Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E gpg: Can't check signature: public key not found
In order to accomplish our task of verifying, we need to get the public key from PGP Keyserver with the help of RSA key ID that we got 6092693E .
$ gpg --recv-keys 6092693E gpg: requesting key 6092693E from hkp server keys.gnupg.net gpg: /home/sowcat/.gnupg/trustdb.gpg: trustdb created gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Now verify the signature again:
$ gpg --verify linux-3.1.5.tar.sign gpg: Signature made Friday 09 December 2011 10:46:46 PM IST using RSA key ID 6092693E gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
The signature seems to be a Good Signature! This means that the public key that we got earlier belongs to the person who made the release.
Instead of gpg: Good signature from “Greg Kroah-Hartman, if it was BAD signature, then:
1) It could be because of incomplete download
2) The downloaded file is not truncated
3) The files might be corrupted
Even though our verification says ‘Good signature’, we can see a warning. This because we did not verify whether the key comes from the person ‘Greg’.
One way of checking is by mailing the people in the list of signature ask them to check if the signature can be trusted. We can see the list of signature by entering the command gpg --list-sigs. Another way is checking with the Kernel web of trust.
This seems to be a long task to verify the authenticity. So, it is better to ignore the warning and trust the signature.