Checking a Package's "Signature"

Thanks to RPM technology, it's easy to install applications instantly -- and if you don't like what you've installed, you can easily remove applications from your system.

But just because RPM is easy to use doesn't mean it's insecure. That's because RPM teams up with Gnu Privacy Guard -- also called GnuPG -- to help you make certain your downloaded package is "trustworthy."

Let's say you've just downloaded the package coolapp-1.1.rpm. To run a quick check of the file's integrity, you would type

rpm -K coolapp-1.1-1.rpm
		  

Right away, you'll see the message coolapp-1.1-1.rpm: md5 OK. This brief message means that the file checks out -- it hasn't been corrupted by the download.

That's fine, but how trustworthy is the developer? Do you really know them? Well, if the package is signed with the developer's GnuPG key, you'll know that the developer really is who they say they are.

GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP. With GnuPG, you can authenticate the validity of documents, encrypt and decrypt data to and from other recipients. The tool is capable of decrypting and verifying PGP 5.x files, as well.

During the installation of Red Hat Linux, GnuPG is installed by default. Here, we'll show you how to get started with GnuPG so you can check a developer's keys.

GnuPG uses public key exchange as its form of cryptography. When you check an owner's key, you can be certain that the owner is who they say they are. In public key cryptography, users create a keypair, which is comprised of a public key and a private key.

While you can distribute your public key to correspondents or to public keyservers -- online repositories which store users' public keys -- you should never divulge your private key to anyone.

Generating a new keypair

To use GnuPG, your first task is to generate a new keypair: your own public and private keys. You can do this with the --gen-key option at the shell prompt.

ImportantDo not give away your private key
 

Remember: While your public key can be given to anyone with whom you want to exchange secure communication, you must never give away your private key.

In an Xterm window, type gpg --gen-key. Since you work with your user account most frequently, you should be doing this from your user account, rather than root. You'll find an introductory screen, with key options, including one recommended option (the default), similar to the following:

gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
Your selection?
		  

In fact, most of the screens which require you to choose an option will list the default option, within parenthesis. Unless you have a specific reason not to, you can accept the default options simply by pressing Enter.

In the first screen, you should accept the default option: (1) DSA and ElGamal. This option will allow you to create a digital signature and encrypt (and decrypt) with two types of technologies. Type 1 and then press Enter.

Next, choose the key size, or how long the key should be. Generally, the longer the key, the more resistant against attacks your messages will be. The default size, 1024 bits, should be sufficiently strong for most users, so press Enter.

The next option asks you to specify how long you want your key to be valid. Usually, the default -- 0 = key does not expire -- is fine. If you do choose an expiration date, remember that anyone with whom you exchanged your public key will also have to be informed of its expiration, and supplied with a new public key.

Your next task is to provide a user ID, with your name, your e-mail address and an optional comment. When you're finished, you'll be presented with a summary of the information you entered.

Once you accept your choices, you'll have to enter a passphrase, which is a password you choose that will validate you as the owner of your new keys.

TipUse a secure passphrase
 

Like your account passwords, a good passphrase is essential for optimal security in GnuPG. For example, mix your passphrase with upper- and lowercase letters, use numbers, or punctuation marks.

Once you enter and verify your passphrase, your keys will be generated. You'll see a message similar to the following:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++.++++++++....++++++++++..+++++.+++++.+++++++.+++++++
+++.++++++++++++++++++++++++++++++++++++++..........................++++
	

When the activity on the screen ceases, your new keys will be made and placed in the directory .gnupg. To list your keys, use the command gpg --list-keys; you'll see something similar to the following:

[newuser@localhost newuser]$ gpg --list-keys
/home/newuser/.gnupg/pubring.gpg
-----------------------------------------
pub  1024D/B7085C8A 2000-04-18 Your Name <you@yourisp.net>
sub  1024g/E12AF9C4 2000-04-18
	

Exchanging Keys

Once you have created your keypair, you can exchange your public key with anyone. You do this by exporting your public key and importing others' public keys.

Exporting Keys

To export your key so that you can mail or paste it on a Web page, use the following command:

gpg --armor --export you@yourisp.net
	

The result will appear somewhat like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDj8sFIRBACoyF4UucTkkuDV/KIW/kCbyzAx18OKXosVJkn4Sb/zhc/IVxoE
e/idTkzB292CUvN4KGFxCXyE0nKG/Vjc2lHwepsN41IcYQTVXUL0raITYYxyOHQe
7BJfjW0cYB/tyJLurr+iOB8JFs4HdZcCQzR9aufqcN4ErCVorrAM8k0y5wCggM9G
+Qcr32lplMKXxgf6NLj1O2oCMUwECYrrUTbxE82aZAFuJj55O/QNyv0eWXWeJvzf
oPLBTaxQDp4MaYZUc5qwgxY6sxz9gBUqAJRNUbg2U5lK5A4emNYVRh4tRs6etpaH
+SQpA/4qRhKRHyTRK8CmGRPg9zfMkCVDHFjvA2cDXeN0Rz1Qd3WWWEGg3ytz4Omv
sYkzMAh0988HMzxWCRKXVPJoNjGHXnyvt44eb5oFE6u/b+RDcNu5FL7V7snXfOfp
GhF+YNq74tt9YFlOEjvQMRKcBXjU6NnZ1pWK7fPs8W1tF2Nzo7Q1UGF1bCBHYWxs
YWdoZXIgKHd3dy5yZWRoYXQuY29tKSA8cGF1bGdhbGxAcmVkaGF0LmNvbT6IVgQT
=NYlu
-----END PGP PUBLIC KEY BLOCK-----
	

TipEasily Save the Output
 

You can save the public key block by redirecting the output to a file. That way, you can insert the file in e-mail, or copy and paste it for a Web page. To redirect the output to a file called mykey.txt in your /home directory, add > mykey.txt to the command:

gpg --armor --export you@yourisp.net > mykey.txt

Then the file mykey.txt can be inserted whenever you want to send your key to someone.

Importing Keys

When you import someone's public key, you add that key to your keyring. Then, when you download a document or file from that correspondent, you can check the validity of that document against the key you have added to your keyring.

To import a key, use the --import option. To demonstrate, let's download and import Red Hat's public key. That way, any time you want to validate a package from Red Hat, you'll be able to check it against the key you retrieved.

You can find Red Hat's key at http://www.redhat.com/about/contact.html. From your browser, you can download the key by pressing the Shift key while you click on the download link, then click the OK button to save the file (for example redhat2.asc). Now, at the shell prompt, import the key with the following command:

gpg --import redhat2.asc	    
	  

The resulting message will tell you that the key was "processed." To check that the key was added, type gpg --list-keys. You'll see the key you'd just downloaded from Red Hat, as well as your own keys.


[newuser@localhost newuser]$ gpg --list-keys
/home/newuser/.gnupg/pubring.gpg
-----------------------------------------
pub  1024D/DB42A60E 1999-09-23 Red Hat, Inc <security@redhat.com>
sub  2048g/961630A2 1999-09-23
	

TipKeys Don't Have to be Links
 

Sometimes, you won't be able to download a key as a link; instead, you can save any key as a text file. As long as you know the name and location of the file you saved, you can import it to your keyring.

Verifying Packages

The command to check a downloaded package (rpm --K filename) is the same procedure that you used before generating your GnuPG keys and adding Red Hat's key. Now that you've added the key from Red Hat to your keyring, however, you'll see a slightly different message: md5 gpg OK. That means both that the package hasn't been corrupted, and that you can trust the originator of the package -- that is, Red Hat.

Going from Here

There's quite a bit more to GnuPG -- and encryption technology -- than we've covered here. In fact, there's much more information than we can cover in this book. But you can get a start on such concepts as key management, how to import and export keys, and more by turning to Chapter 13.