How to check gpg signature given only the fingerprint and key ID

digital-signaturegnupg

I am trying to check the integrity of my gmp-6.1.2.tar.lz download (see here). I am on CentOS 6.6 using gpg (GnuPG) 2.0.14.

The GMP website only lists

Key ID: 0x28C67298 
Key type: 2560 bit RSA 
Fingerprint: 343C 2FF0 FBEE 5EC2 EDBE F399 F359 9FF8 28C6 7298

When I run (as suggested here):

$ gpg --verify gmp-6.1.2.tar.lz.sig gmp-6.1.2.tar.lz
gpg: Signature made Sun 18 Dec 2016 03:18:35 PM EST using RSA key ID 28C67298
gpg: Can't check signature: No public key

QUESTION

How do I extract the fingerprint from gpg to compare with the GMP website?
I don't know where or how to get the public key for gmp, is this fingerprint checking good enough? This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from.

Best Answer

I don't know where or how to get the public key for gmp, is this fingerprint checking good enough?

The key can usually be obtained from public keyservers, based on its ID or fingerprint.

gpg --recv-key '343C 2FF0 FBEE 5EC2 EDBE F399 F359 9FF8 28C6 7298'

Alternatively:

gpg --auto-key-retrieve --verify gmp-6.1.2.tar.lz.sig gmp-6.1.2.tar.lz

Comparing its fingerprint is enough to ensure you got the correct key.

This does not seem to be very secure since I'm checking the signature of the file from the same website that I downloaded the file from.

Indeed, it's not very secure. You should try to verify the fingerprint using other means, e.g. sometimes it's part of release announcements in mailing list archives; I sometimes use web.archive.org to make sure the website hasn't changed recently.

(The "traditional" PGP mechanism, web of trust, unfortunately is not very useful here.)

Verification can still be useful though:

The same key is used to sign many releases. Even if you don't know whose key it is, it might still be enough to know that it's the same key which has been legitimately signing releases for the past few years.
The actual download could be hosted on various mirror sites. If you trust the main project website, you can use this information to verify archives downloaded from anywhere.

Related Solutions

Verifying files with GPG, without a .sig or .asc file

Received an explanation from the GNU/GCC team about this, and the .sig files were missing due to an error with file replication to their mirror servers. From the team:

Interestingly, the .sig files are only on the GNU server (e.g., http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/) but not on the GCC server (e.g., ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/). As the latter is used by the mirrors, it is also not available on the mirrors.

I found the .sig files on the GNU server like they suggested, but then had to dig some more to find the "GNU keyring file" required to actually verify the signature. All in all, the verification process was:

$ wget http://www.netgull.com/gcc/releases/gcc-4.8.0/gcc-4.8.0.tar.gz
$ wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/gcc-4.8.0.tar.gz.sig
$ wget ftp://ftp.gnu.org/gnu/gnu-keyring.gpg
$ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig

gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>"
gpg: Note: This key has expired!
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2 C3C4 5C06

Hopefully this helps anyone else trying to verify a tarball downloaded from one of GCC's mirror sites.

Verify GPG tarballs from command line with signer’s public key block

We have to import the keys before checking the signature.

$ gpg --import gpg-signers.pem
gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported
$ gpg --verify libassuan-2.2.0.tar.bz2.sig libassuan-2.2.0.tar.bz2
gpg: Signature made Thu 11 Dec 2014 21:13:07 JST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"

If we don't want the keys to be stored in the local database permanently, use a disposable keyring.

$ gpg --no-default-keyring --keyring 1.keyring --import gpg-signers.pem
gpg: keyring 1.keyring created
...
$ gpg --no-default-keyring --keyring 1.keyring --verify ...
...
$ trash 1.keyring

By design, we receive keys out-of-band.

Though not as convenient as HTTPS, we can download Werner Koch's public key by gpg --recv-key 4F25E3B6. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.

Best Answer

Related Solutions

Verifying files with GPG, without a .sig or .asc file

Verify GPG tarballs from command line with signer’s public key block

Related Question