How does providing an asc file ensure I'm downloading the intended source code?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz



On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file



What I don't understand is:



  1. How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?


  2. Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with



    gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc


    I get an error that says "no valid OpenPGP data found"








share|improve this question
























    up vote
    2
    down vote

    favorite












    I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz



    On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file



    What I don't understand is:



    1. How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?


    2. Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with



      gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc


      I get an error that says "no valid OpenPGP data found"








    share|improve this question






















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz



      On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file



      What I don't understand is:



      1. How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?


      2. Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with



        gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc


        I get an error that says "no valid OpenPGP data found"








      share|improve this question












      I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz



      On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file



      What I don't understand is:



      1. How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?


      2. Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with



        gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc


        I get an error that says "no valid OpenPGP data found"










      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 16 at 1:36









      Ryan Oliver Lanham

      132




      132




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          Have a look inside the .asc file, you will see it starts with:



           -----BEGIN PGP SIGNATURE-----


          So this is a PGP Signature. It means it signs some content with some specific PGP key.



          1) The content



          Based on the name, the content is the file .txt, it is the list of files corresponding to the software to download and each file has its corresponding hash.



          2) The signature



          If you launch gpg on both files, here is the result:



          $ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
          gpg: Signature made Fri Mar 9 10:29:10 2018 EST
          gpg: using RSA key 2D2CEF1034921684
          gpg: Can't check signature: No public key


          So how does it all work? You are supposed to have the key 2D2CEF1034921684 in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.



          If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.



          If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt file with the new hashes so you could believe files do match.
          However this third party would not be able to generate the proper .asc file with the PGP signature (upon gpg --verify you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
          And if it does generate it with another key you will see it because you will not trust this unknown key.



          But of course the whole model collapses if the key itself is compromised.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430534%2fhow-does-providing-an-asc-file-ensure-im-downloading-the-intended-source-code%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote



            accepted










            Have a look inside the .asc file, you will see it starts with:



             -----BEGIN PGP SIGNATURE-----


            So this is a PGP Signature. It means it signs some content with some specific PGP key.



            1) The content



            Based on the name, the content is the file .txt, it is the list of files corresponding to the software to download and each file has its corresponding hash.



            2) The signature



            If you launch gpg on both files, here is the result:



            $ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
            gpg: Signature made Fri Mar 9 10:29:10 2018 EST
            gpg: using RSA key 2D2CEF1034921684
            gpg: Can't check signature: No public key


            So how does it all work? You are supposed to have the key 2D2CEF1034921684 in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.



            If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.



            If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt file with the new hashes so you could believe files do match.
            However this third party would not be able to generate the proper .asc file with the PGP signature (upon gpg --verify you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
            And if it does generate it with another key you will see it because you will not trust this unknown key.



            But of course the whole model collapses if the key itself is compromised.






            share|improve this answer
























              up vote
              3
              down vote



              accepted










              Have a look inside the .asc file, you will see it starts with:



               -----BEGIN PGP SIGNATURE-----


              So this is a PGP Signature. It means it signs some content with some specific PGP key.



              1) The content



              Based on the name, the content is the file .txt, it is the list of files corresponding to the software to download and each file has its corresponding hash.



              2) The signature



              If you launch gpg on both files, here is the result:



              $ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
              gpg: Signature made Fri Mar 9 10:29:10 2018 EST
              gpg: using RSA key 2D2CEF1034921684
              gpg: Can't check signature: No public key


              So how does it all work? You are supposed to have the key 2D2CEF1034921684 in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.



              If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.



              If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt file with the new hashes so you could believe files do match.
              However this third party would not be able to generate the proper .asc file with the PGP signature (upon gpg --verify you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
              And if it does generate it with another key you will see it because you will not trust this unknown key.



              But of course the whole model collapses if the key itself is compromised.






              share|improve this answer






















                up vote
                3
                down vote



                accepted







                up vote
                3
                down vote



                accepted






                Have a look inside the .asc file, you will see it starts with:



                 -----BEGIN PGP SIGNATURE-----


                So this is a PGP Signature. It means it signs some content with some specific PGP key.



                1) The content



                Based on the name, the content is the file .txt, it is the list of files corresponding to the software to download and each file has its corresponding hash.



                2) The signature



                If you launch gpg on both files, here is the result:



                $ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
                gpg: Signature made Fri Mar 9 10:29:10 2018 EST
                gpg: using RSA key 2D2CEF1034921684
                gpg: Can't check signature: No public key


                So how does it all work? You are supposed to have the key 2D2CEF1034921684 in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.



                If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.



                If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt file with the new hashes so you could believe files do match.
                However this third party would not be able to generate the proper .asc file with the PGP signature (upon gpg --verify you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
                And if it does generate it with another key you will see it because you will not trust this unknown key.



                But of course the whole model collapses if the key itself is compromised.






                share|improve this answer












                Have a look inside the .asc file, you will see it starts with:



                 -----BEGIN PGP SIGNATURE-----


                So this is a PGP Signature. It means it signs some content with some specific PGP key.



                1) The content



                Based on the name, the content is the file .txt, it is the list of files corresponding to the software to download and each file has its corresponding hash.



                2) The signature



                If you launch gpg on both files, here is the result:



                $ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
                gpg: Signature made Fri Mar 9 10:29:10 2018 EST
                gpg: using RSA key 2D2CEF1034921684
                gpg: Can't check signature: No public key


                So how does it all work? You are supposed to have the key 2D2CEF1034921684 in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.



                If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.



                If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt file with the new hashes so you could believe files do match.
                However this third party would not be able to generate the proper .asc file with the PGP signature (upon gpg --verify you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
                And if it does generate it with another key you will see it because you will not trust this unknown key.



                But of course the whole model collapses if the key itself is compromised.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 16 at 3:16









                Patrick Mevzek

                2,0131721




                2,0131721






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430534%2fhow-does-providing-an-asc-file-ensure-im-downloading-the-intended-source-code%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?