Distros : Prep - Signatures

GnuPG — GNU Privacy Guard is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG also known as gpg is a command line tool that allows you to encrypt and sign your data and communications.

When you set up gpg on your PC a Private Key and a Public Key are created. You can then use gpg to encrypt a document with your Private Key, send it by email and when the user at the far end receives the document they have to ask you for your Public Key so that they can open it. Nobody else can read that document even if they can hack into the email.

In this article we will concentrate on how a Linux Distro would use gpg to create a Detached Digital Signature for a checksum file signing it so proving that they created that file and it has not been tampered with and how the end user would use gpg to verify that.

I used cat to look at one of the .sign files which was created by Debian..

$ cat MD5SUMS.sign
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAmBfrD4ACgkQ2ofoDWKU
vpswBg/+JykJjY3UxOGkJM2g86P4+8TicgW5Xmch/fSB0bqZtz0Dm1/SWnmbbA3+
/oR6iMWjtTXxxSUF9uk34E5BSxj+w8/gwb6a4CGVguAkiSPkWROjANyEeaZ/j52E
d7q1k7tjQA1aFX0KRoOoGqKIn7tB5bkYpqxxSW0x3Ih0cA0zkrTIwKwboU53/oVn
0J2KvmHIypU82wGoFOVkz5akeIqOEIIGQ2BanC3y3n5hk4E/DuqKrHPb/qf8PGG8
9mlMVbB71TAoc6IKlGQPuvPocN9muqgMe34qGBTI4leUc6aP6/5NdT+zx6BJPQ8Z
iqt1h8mPKfVmI5lLv+47/VXFe+4tdj0ANDJ8ofWc9dtDzb1rxqJ1dD2NKUm+3Uh0
N66bh0kAMNnCkvBrfL9Pk99FCl7diXNcUlZC3oaHiQnu07EqWJfyIQNdunQuHZHG
9nGW7aBDIPFCJaGdOkZ4utiw7aqJHqNhPuB7YuFvEpZXyfm7Oyf6U4hC8HcRXGnp
lieFIa0jm171QyzzWGE/U5bRUcbpfoc6LCLJl5PNMq+rE/DzY3oAaH88Gx4C7sf7
HTo2lgH4jUMVDOeAxQ1hMruszYv0SU0V/kntFxrJRLi9AaW9JOLsThIASm1iVg1x
KQ4D9jhqTl7X3RdOQxre+FjwenTHY8rDoa8ypxlyyEbFFVb0yM0=
=U2dc
-----END PGP SIGNATURE-----

The above is a (very long) detached PGP Signature that was created by using the code below.

gpg --output MD5SUMS.sign --detach-sig -a MD5SUMS

Breaking down that command gpg has many options, starting at the end:

Debian repeated the process for all the SHASUM files, the end user would then download a ISO and a checksum and the checksum .sign signature file.

To check the MD5SUM file is from Debian cd to the folder where I downloaded the Debian Install files and typed in gpg --verify MD5SUM.sign MD5SUM

To break that command down: I am using gpg to verify, the first argument MD5SUM.sign is the pgp signature file and then the file I wanted to check MD5SUM and below is the result..

$ gpg --verify MD5SUM.sign MD5SUM
gpg: keybox '/home/bryan/.gnupg/pubring.kbx' created 
(first time to run gpg, then a keybox is created)
gpg: Signature made Sat 27 Mar 2021 22:05:51 GMT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

OK, that did not work, gpg is looking for the Public Key for the RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B. Reading through Verifying authenticity of Debian CD's I found a link to the Debian Keyring Page which gave me Debians Keyring Server address: keyring.debian.org so my next gpg command was ..

gpg --keyserver keyring.debian.org --recv-keys the_public_key_that_you_want

To break that command down I am stating where the keyserver is keyring.debian.org and that I want to receive their Public Key and put them into my own keyring --recv-keys

That key is rather long so I selected it in the output above, Ctrl+Shift+C to Copy it and Ctrl+Shift+V to Paste it after --recv-keys.
$ gpg --keyserver keyring.debian.org 
--recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B

gpg: /home/bryan/.gnupg/trustdb.gpg: trustdb created
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The gpg trusted database is created and the Debian CD signing key is imported and I can see my gpg keys by..

$ gpg --list-keys
/home/bryan/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2011-01-05 [SC]
      DF9B9C49EAA9298432589D76DA87E80D6294BE9B
uid           [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
sub   rsa4096 2011-01-05 [E]

Now that I have Debian's Public Key I tried gpg --verify MD5SUM.sign MD5SUM again.

$ gpg --verify MD5SUM.sign MD5SUM
gpg: Signature made Sat 27 Mar 2021 22:05:51 GMT
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "<Debian CD signing key debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The checksum file has been verified, I highlighted that in yellow, however the rest of the gpg output doesn't inspire confidence, the warning means you haven't told gpg that you trust where the signature is from, to trust a digital signature requires some more gpg housework, if all you want is to verify that checksum, this is enough. Ignore the warning, download the ISO and use the checksum to validate the ISO and then burn that ISO onto your DVD/USB Key.

Pressing on I am going to do some more gpg stuff, creating my own Private key and trust the Debian Public Key, gpg --gen-key will start off the whole process...

$ gpg --gen-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

(GPG asked for my real name and email address)

Real name: Linux User
Email address: linux@etcetera.ie
You selected this USER-ID:
    "Linux User <linux@etcetera.ie>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? 
(Hit N, E to change or O (the letter O) for OK.)

Then gpg had to generate a lot of random bytes.This took some time and when that was done I was asked to Enter a paraphrase ideally at least eight characters consisting of letters and numbers, this is the weakest part of gpg, a poor paraphrase consisting of actual words could be easily cracked, so I followed best practices.

Finally I reached this screen...

gpg: key BC3756B6B8C96453 marked as ultimately trusted
gpg: directory '/home/bryan/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/bryan/.gnupg/openpgp-revocs.d/0EA1C9776DE256CCA9C16FB6BC3756B6B8C96453.rev'
public and secret key created and signed.

pub   rsa3072 2021-04-28 [SC] [expires: 2023-04-28]
      0EA1C9776DE256CCA9C16FB6BC3756B6B8C96453
uid                      Linux User <linux@etcetera.ie>
sub   rsa3072 2021-04-28 [E] [expires: 2023-04-28]

Now to take another look at my keys.. gpg --list-keys

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-04-28
/home/bryan/.gnupg/pubring.kbx
------------------------------
pub   rsa4096 2011-01-05 [SC]
      DF9B9C49EAA9298432589D76DA87E80D6294BE9B
uid           [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
sub   rsa4096 2011-01-05 [E]

pub   rsa3072 2021-04-28 [SC] [expires: 2023-04-28]
      0EA1C9776DE256CCA9C16FB6BC3756B6B8C96453
uid           [ultimate] Linux User <linux@etcetera.ie>
sub   rsa3072 2021-04-28 [E] [expires: 2023-04-28]

The ultimate before the user means absolute trust, now to say that I trust the Debian CD key I need to edit the Debian Key.

$ gpg --edit-key debian-cd@lists.debian.org 
(type de then Tab to autocomplete or simply any part of the uid and Enter)
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/DA87E80D6294BE9B
     created: 2011-01-05  expires: never       usage: SC  
     trust: full          validity: unknown
sub  rsa4096/642A5AC311CD9819
     created: 2011-01-05  expires: never       usage: E   
[ unknown] (1). Debian CD signing key <debian-cd@lists.debian.org>

Now we are in a gpg shell and have a series of commands that we can do to this key, type help to list them, some are shown below..

gpg> help
quit        quit this menu 
save        save and quit
help        show this help
fpr         show key fingerprint
grip        show the keygrip
list        list key and user IDs
uid         select user ID N
key         select subkey N
check       check signatures
sign        sign selected user IDs [* see below for related commands]

We need to double check that the public key is from a trusted source, first thing we need to do is to get its fingerprint by using the fpr command..

gpg> fpr
pub   rsa4096/DA87E80D6294BE9B 2011-01-05 Debian CD signing key <debian-cd@lists.debian.org>
 Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
Outside of a gpg shell doing a gpg --fingerprint (any part of the key name) will give you that fingerprint.

If the Public Key belongs to an individual one way to verify that its theirs is to ring them and ask them to call out their fingerprint.

If the Public Key belongs to a Linux Distro simply put the keys fingerprint into your favorite seach engine and you should get lots of hits for that Distro, using Google I got About 388 results, most of them about the trust issue!!!!.

OK its one of Debian Public Keys, now to sign that key so that when I do future gpg --verify for Debian Checksums I won't get any more trust warnings.

 
gpg> sign

pub  rsa4096/DA87E80D6294BE9B
     created: 2011-01-05  expires: never       usage: SC  
     trust: full          validity: unknown
 Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

     Debian CD signing key <debian-cd@lists.debian.org>

Are you sure that you want to sign this key with your
key "Linux User <linux@etcetera.ie>" (BC3756B6B8C96453)

Really sign? (y/N) (you have to type in y)

Then I was asked for my very secure passphrase.

Finally I type in save to save the changes and exit the gpg shell.

Alternately type quit to exit the shell and at the prompt type y to save the changes or n to drop them.

Having signed the key I repeated the gpg --verify command again, the result was ..

$ gpg --verify MD5SUM.sign MD5SUM
gpg: Signature made Sat 27 Mar 2021 22:05:51 GMT
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [full]

Now that's better. To verify the SHASUM files I simply repeated the gpg --verify command.

$ gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Sat 27 Mar 2021 22:05:51 GMT
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [full]

To create my own detached pgp signature on MD5SUM I did the following, this time with NO --output option..

$ gpg --detach-sig -a MD5SUMS
(I was asked for your passphrase)
$ ls MD5SUMS*
(To see if that worked)
MD5SUMS  MD5SUMS.asc  MD5SUMS.sign

$ cat MD5SUMS.asc
-----BEGIN PGP SIGNATURE-----
(Just the first 4 lines)
iQGzBAABCgAdFiEEDqHJd23iVsypwW+2vDdWtrjJZFMFAmDHUUcACgkQvDdWtrjJ
ZFOa1gv7BOlkW3amo8bVbiX2nD9aFuL9vlRJaJ2EQrlU0DSSBUwO1e9/2eyypiBu
ugoDCHi/RC8qlN+JHRbzMKmYYN9hIUssngkGiRBspTM0DKIwbj6ttyxBoC/X5828
2vJO4jkewW2oNEpGYvw0DjufahDlYj4GsAa8WFcHIwfM9erIRFAkLLHL1PwT+RrC

-----END PGP SIGNATURE-----

$ cat MD5SUMS.sign
-----BEGIN PGP SIGNATURE-----
(completely different!!!)
iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAmBfrD4ACgkQ2ofoDWKU
vpswBg/+JykJjY3UxOGkJM2g86P4+8TicgW5Xmch/fSB0bqZtz0Dm1/SWnmbbA3+
/oR6iMWjtTXxxSUF9uk34E5BSxj+w8/gwb6a4CGVguAkiSPkWROjANyEeaZ/j52E
d7q1k7tjQA1aFX0KRoOoGqKIn7tB5bkYpqxxSW0x3Ih0cA0zkrTIwKwboU53/oVn

-----END PGP SIGNATURE-----

To find out more check out the The GNU Privacy Handbook, it has four short chapters..

..and you have just worked your way through half the first chapter. :-)