1

I am trying to check the integrity of my gmp-6.1.2.tar.lz download (see here). I am on CentOS 6.6 using gpg (GnuPG) 2.0.14.

The GMP website only lists 

Key ID: 0x28C67298 
Key type: 2560 bit RSA 
Fingerprint: 343C 2FF0 FBEE 5EC2 EDBE F399 F359 9FF8 28C6 7298

When I run (as suggested here): 

$ gpg --verify gmp-6.1.2.tar.lz.sig gmp-6.1.2.tar.lz
gpg: Signature made Sun 18 Dec 2016 03:18:35 PM EST using RSA key ID 28C67298
gpg: Can't check signature: No public key

QUESTION

  1. How do I extract the fingerprint from gpg to compare with the GMP website?

  2. I don't know where or how to get the public key for gmp, is this fingerprint checking good enough? This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from.

Improve this question
1
  • 1
    "This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from." - Use the appropriate tools to calculate the checksum of the file, then compare the checksum, to the one on the website. If you don't trust the website then you should not trust the key. GPP is entirely built on trust, all certificates are, nothing unique about that.
    – Ramhound
    Commented Feb 23, 2018 at 13:34

2 Answers 2

Reset to default
2

I don't know where or how to get the public key for gmp, is this fingerprint checking good enough?

The key can usually be obtained from public keyservers, based on its ID or fingerprint.

gpg --recv-key '343C 2FF0 FBEE 5EC2 EDBE F399 F359 9FF8 28C6 7298'

Alternatively:

gpg --auto-key-retrieve --verify gmp-6.1.2.tar.lz.sig gmp-6.1.2.tar.lz

Comparing its fingerprint is enough to ensure you got the correct key.

This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from.

Indeed, it's not very secure. You should try to verify the fingerprint using other means, e.g. sometimes it's part of release announcements in mailing list archives; I sometimes use web.archive.org to make sure the website hasn't changed recently.

(The "traditional" PGP mechanism, web of trust, unfortunately is not very useful here.)

Verification can still be useful though:

  • The same key is used to sign many releases. Even if you don't know whose key it is, it might still be enough to know that it's the same key which has been legitimately signing releases for the past few years.

  • The actual download could be hosted on various mirror sites. If you trust the main project website, you can use this information to verify archives downloaded from anywhere.

Improve this answer
5
  • Why even use public keys instead of the fingerprint? Is it not possible to sign via the private key and then simply send the fingerprint to the other person and make sure he received the correct one via phone and use then the other person could use the fingerprint (not the associated public key) to check the signature? Or is it only possible to check a signature via looking up the associated public key?
    – Ini
    Commented Oct 26, 2018 at 14:38
  • 1
    @Ini: Signature verification requires information from the public key. It doesn't matter how the public key is delivered to the message's recipient (it could be downloaded from a keyserver, it could be bundled with the signature itself) -- but the recipient still needs to obtain the full key somehow.
    – grawity_u1686
    Commented Oct 26, 2018 at 14:50
  • 1
    @Ini: Nowadays you could perhaps dictate the entire Ed25519 public key over phone, or fit it on a business card (although probably just the raw key; not the entire PGP keyblock with metadata and all). But traditional RSA or DSA keys are far too large to dictate in a reasonable amount of time. So fingerprints are used as a shorter substitute. Once the recipient has the correct fingerprint, they can obtain the full public key from any source they want, and verify the key against the fingerprint, and finally verify the file's signature against the key.
    – grawity_u1686
    Commented Oct 26, 2018 at 14:54
  • grawity: I know, but the question was if you can use the fingerprint directly to verify the signature instead of using the public key associated to the fingerprint?
    – Ini
    Commented Oct 26, 2018 at 15:27
  • @Ini: No. As I already said, signature verification requires information from the public key.
    – grawity_u1686
    Commented Oct 26, 2018 at 17:06
0

In addendum to grawity's answer:

--auto-key-retrieve has been deprecated.

The revised syntax at time of writing is:

gpg --keyserver-options auto-key-retrieve --verify abc.tar.gz.sign abc.tar.gz

Success should show:

gpg: Good signature from "User <[email protected]>"

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .