Verify GPG tarballs from command line with signer’s public key block

command linegnupgverification

I've got a script to fetch Gcrypt's five source packaes from GnuPG Download. I also fetch the signature for each package. For example:

FILE=libassuan-2.2.0
wget -q "ftp://ftp.gnupg.org/gcrypt/libassuan/$FILE.tar.bz2.sig" -O "$FILE.tar.bz2.sig"
wget -q "ftp://ftp.gnupg.org/gcrypt/libassuan/$FILE.tar.bz2" -O "$FILE.tar.bz2"
gpg --verify "$FILE.tar.bz2.sig" "$FILE.tar.bz2"

While trying to verify the download, I get an error "Can't check signature: public key not found". This is expected since the VM is fairly clean and it does not have a GPG keychain (I think that's what its called).

I have the public key block from the Signature Key page, and its in a file called gpg-signers.pem. But I don't know how to use it with GPG.

I've searched the man pages, but I don't see how to pass public key block (gpg-signers.pem) to the command (gpg --verify). There is a --sign-key, but its used to "sign a public key with you secret key"; and not specify the signer's key to verify a signature.

How do I pass gpg-signers.pem to gpg --verify to verify the signature on the package?

Best Answer

We have to import the keys before checking the signature.

$ gpg --import gpg-signers.pem
gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported
$ gpg --verify libassuan-2.2.0.tar.bz2.sig libassuan-2.2.0.tar.bz2
gpg: Signature made Thu 11 Dec 2014 21:13:07 JST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"

If we don't want the keys to be stored in the local database permanently, use a disposable keyring.

$ gpg --no-default-keyring --keyring 1.keyring --import gpg-signers.pem
gpg: keyring 1.keyring created
...
$ gpg --no-default-keyring --keyring 1.keyring --verify ...
...
$ trash 1.keyring

By design, we receive keys out-of-band.

Though not as convenient as HTTPS, we can download Werner Koch's public key by gpg --recv-key 4F25E3B6. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.

Finding the File for a Detached Signature

gpg will automatically verify detached signatures against the same file name, without .asc or .sig enxtension. From man gpg:

--verify
  Assume  that  the first argument is a signed file or a detached signature and
  verify it without generating any output. With  no  arguments,  the  signature
  packet  is  read from STDIN. If only a sigfile is given, it may be a complete
  signature or a detached signature, in which case the signed stuff is expected
  in a file without the ".sig" or ".asc" extension.  With more than 1 argument,
  the first should be a detached signature and  the  remaining  files  are  the
  signed  stuff.  To  read  the  signed stuff from STDIN, use '-' as the second
  filename.  For security reasons a detached signature cannot read  the  signed
  material from STDIN without denoting it in the above way.

Thus, gpg --verify package_name.asc expects the signed file to be available as package_name. If it isn't (or at another location), also give the path to this file:

gpg --verify detached_siganture.asc signed_file

Is it the Right File?

OpenPGP does not expect the file name (or any other identifier) to be stored in the signature. But: the signature is the hash sum of the signed file, encrypted with the signer's private key, so it can be decrypted with his public key. If the decrypted hash sum does not match the one of the file used to verify against, you know the file isn't the same that was signed (but cannot tell whether it is the wrong file because of selecting the wrong, or it was tampered).

Retrieve public keys that signed a key I have

You're not missing keys for the ISO's signature, but keys which issued certifications on the key that signed the image.

GnuPG does not recursively download other keys, you will have to do this on your own (for example, by running a command line like the one you proposed in the comments). But be aware that the certificates provided by other keys do not already assert the key's valid, it is very easy to generate whole networks of keys that even mimic the real OpenPGP web of trust like performed in the Evil 32 attack. If you want to validate some key by checking certifications, always build a trust path that ends at your own key (or some other key you verified through another medium, for example by meeting the person).

Best Answer

Related Solutions

How are detached signatures used to verify a file’s integrity and authenticity

Finding the File for a Detached Signature

Is it the Right File?

Retrieve public keys that signed a key I have

Related Question