How does providing an asc file ensure I'm downloading the intended source code?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz
On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file
What I don't understand is:
- How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?
Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with
gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc
I get an error that says "no valid OpenPGP data found"
gpg source-code
add a comment |Â
up vote
2
down vote
favorite
I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz
On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file
What I don't understand is:
- How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?
Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with
gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc
I get an error that says "no valid OpenPGP data found"
gpg source-code
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz
On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file
What I don't understand is:
- How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?
Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with
gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc
I get an error that says "no valid OpenPGP data found"
gpg source-code
I'm installing cmake from the cmake.org website and they provide two files that I believe are intended to verify the source code download cmake-3.11.0-rc3.tar.gz
On the same page, they have links to download a cmake-3.11.0-rc3-SHA-256.txt file and a cmake-3.11.0-rc3-SHA-256.txt.asc file
What I don't understand is:
- How does an asc file from the same source (cmake.org) ensure the source code's integrity? If the source code offered by the site was compromised, couldn't the attacker also compromise the asc file?
Don't I need a public key to truly verify the source code download? And I thought the asc file was supposed to be the public key. However, when I try to import the asc file with
gpg --import cmake-3.11.0-rc3-SHA-256.txt.asc
I get an error that says "no valid OpenPGP data found"
gpg source-code
asked Mar 16 at 1:36
Ryan Oliver Lanham
132
132
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
Have a look inside the .asc
file, you will see it starts with:
-----BEGIN PGP SIGNATURE-----
So this is a PGP Signature. It means it signs some content with some specific PGP key.
1) The content
Based on the name, the content is the file .txt
, it is the list of files corresponding to the software to download and each file has its corresponding hash.
2) The signature
If you launch gpg
on both files, here is the result:
$ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
gpg: Signature made Fri Mar 9 10:29:10 2018 EST
gpg: using RSA key 2D2CEF1034921684
gpg: Can't check signature: No public key
So how does it all work? You are supposed to have the key 2D2CEF1034921684
in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.
If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt
files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.
If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt
file with the new hashes so you could believe files do match.
However this third party would not be able to generate the proper .asc
file with the PGP signature (upon gpg --verify
you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
And if it does generate it with another key you will see it because you will not trust this unknown key.
But of course the whole model collapses if the key itself is compromised.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Have a look inside the .asc
file, you will see it starts with:
-----BEGIN PGP SIGNATURE-----
So this is a PGP Signature. It means it signs some content with some specific PGP key.
1) The content
Based on the name, the content is the file .txt
, it is the list of files corresponding to the software to download and each file has its corresponding hash.
2) The signature
If you launch gpg
on both files, here is the result:
$ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
gpg: Signature made Fri Mar 9 10:29:10 2018 EST
gpg: using RSA key 2D2CEF1034921684
gpg: Can't check signature: No public key
So how does it all work? You are supposed to have the key 2D2CEF1034921684
in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.
If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt
files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.
If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt
file with the new hashes so you could believe files do match.
However this third party would not be able to generate the proper .asc
file with the PGP signature (upon gpg --verify
you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
And if it does generate it with another key you will see it because you will not trust this unknown key.
But of course the whole model collapses if the key itself is compromised.
add a comment |Â
up vote
3
down vote
accepted
Have a look inside the .asc
file, you will see it starts with:
-----BEGIN PGP SIGNATURE-----
So this is a PGP Signature. It means it signs some content with some specific PGP key.
1) The content
Based on the name, the content is the file .txt
, it is the list of files corresponding to the software to download and each file has its corresponding hash.
2) The signature
If you launch gpg
on both files, here is the result:
$ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
gpg: Signature made Fri Mar 9 10:29:10 2018 EST
gpg: using RSA key 2D2CEF1034921684
gpg: Can't check signature: No public key
So how does it all work? You are supposed to have the key 2D2CEF1034921684
in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.
If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt
files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.
If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt
file with the new hashes so you could believe files do match.
However this third party would not be able to generate the proper .asc
file with the PGP signature (upon gpg --verify
you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
And if it does generate it with another key you will see it because you will not trust this unknown key.
But of course the whole model collapses if the key itself is compromised.
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Have a look inside the .asc
file, you will see it starts with:
-----BEGIN PGP SIGNATURE-----
So this is a PGP Signature. It means it signs some content with some specific PGP key.
1) The content
Based on the name, the content is the file .txt
, it is the list of files corresponding to the software to download and each file has its corresponding hash.
2) The signature
If you launch gpg
on both files, here is the result:
$ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
gpg: Signature made Fri Mar 9 10:29:10 2018 EST
gpg: using RSA key 2D2CEF1034921684
gpg: Can't check signature: No public key
So how does it all work? You are supposed to have the key 2D2CEF1034921684
in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.
If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt
files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.
If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt
file with the new hashes so you could believe files do match.
However this third party would not be able to generate the proper .asc
file with the PGP signature (upon gpg --verify
you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
And if it does generate it with another key you will see it because you will not trust this unknown key.
But of course the whole model collapses if the key itself is compromised.
Have a look inside the .asc
file, you will see it starts with:
-----BEGIN PGP SIGNATURE-----
So this is a PGP Signature. It means it signs some content with some specific PGP key.
1) The content
Based on the name, the content is the file .txt
, it is the list of files corresponding to the software to download and each file has its corresponding hash.
2) The signature
If you launch gpg
on both files, here is the result:
$ gpg --verify cmake-3.11.0-rc3-SHA-256.txt.asc cmake-3.11.0-rc3-SHA-256.txt
gpg: Signature made Fri Mar 9 10:29:10 2018 EST
gpg: using RSA key 2D2CEF1034921684
gpg: Can't check signature: No public key
So how does it all work? You are supposed to have the key 2D2CEF1034921684
in your local keychain. How do you get it, and more important you do make sure you get the proper one? (the id by itself is not enough). This is where the web of trust model of OpenPGP takes place. It would be too long to detail here but in short, ideally, you get access to the keys out of band and you have means to authentify it... or to authentify some other key of someone you know that itself has authentified the other key. And/Or you find it online in one or multiple places, secured by HTTPS (with a certificate and CA you trust), and ideally with DNSSEC.
If you have the public key, and you trust it to be good and not forged (and that typically it corresponds to the software developers of the tool you are trying to download), the above command show you that the .txt
files has not been tampered with. And in turn this gives you the hash of all archives files, so you can download it and re-run the hash algorithm (SHA256 as written in the filename) and compare it with the value stored in file.
If someone had compromised the server and changed some archives it could, as you say yourself, as well change the .txt
file with the new hashes so you could believe files do match.
However this third party would not be able to generate the proper .asc
file with the PGP signature (upon gpg --verify
you would get an error about invalid signature), because to do so he would need to have access to the private key which is supposedly properly secured and not stored on the webserver anyway.
And if it does generate it with another key you will see it because you will not trust this unknown key.
But of course the whole model collapses if the key itself is compromised.
answered Mar 16 at 3:16
Patrick Mevzek
2,0131721
2,0131721
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430534%2fhow-does-providing-an-asc-file-ensure-im-downloading-the-intended-source-code%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password