IT Support Small Medium Business

In his comment on my recent post asking why wordpress.org dev team didn’t opt to sign their popular blog server software package, Barry said it might be cool to actually spell out how to sign a file digitally. With my tax mailed out this afternoon (Yeah,  don’t have to wait in line with all other last-minute losers this year!),  I have some breathing time to actually take a stab using GnuPG as an example. GnuPG is an open-source counterpart of the PGP.

• To sign a file digitally, you first need to have a pair of keys. If you don’t have one yet, read my earlier post on how to generate one along with best practice recommendations.
• Quite a few ways to sign a file.  A file named ‘digital.signature.testfile’ has been created for illustration.
  • sign the file to generate a new file containing only its digital signature. The new file is known as the (detached) signature file.
    • in armor text.  The signature file’s name is the original file name appended with a .asc extension. It is reable by human.

                                gpg –detach-sign -a digital.signature.testfile

    • not in armor text. The signature file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.

                                gpg –detach-sign digital.signature.testfile

  • sign it to generate a new file containing the original content as well as digital signature. This is known as the signed file.
    • clear-text signing, meaning the the original content can be read as clear text inside the new file. The signed file’s name is the original file name appended with a .asc extension. It is readable by human.

                                 gpg -s –clearsign digital.signature.testfile

    • non-clear-text signing, meaning the the original content can NOT be read as clear text inside the new file. The signed file’s name is the original file name appended with a .gpg extension. It is NOT readable by human.

                                 gpg -s digital.signature.testfile

• Most software packages need to be unpacked using unzip, tar, 7z, rar or alike, it is obvious the preferred way is not to touch the software packages, but to provide detached signature files in armor text. As a result, you often see on the download page, listed side by side are a package file named  popular.package-1.1.3.tar.gz and its signature file popular.package-1.1.3.tar.gz.asc.
• The contents of the original file, the signed file by clear-sign, the detached signature file via clear-sign are all appended below for your reference.

/home/experts8$  cat digital.signature.testfile # the original file
Wed Apr 11 23:46:07 EDT 2007
/home/experts8$ cat digital.signature.testfile.asc # the signed file by clear-sign
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Wed Apr 11 23:46:07 EDT 2007
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1 (Cygwin)

iD8DBQFGHau1qVSbap/EkWYRAkQhAJ98vWY/peeVYW+sQ0JLXm1DWQuB+ACfXHoo
NGV2PrjRiyKJSN5mmmKm3IE=
=Axe4
—–END PGP SIGNATURE—–

/home/experts8$ cat digital.signature.testfile.asc  #detached signature file in armor text
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.1

iD8DBQBGHbBUqVSbap/EkWYRAtH/AJ9cPHrnz7s1HFIyiJrzxzEPuuPTAwCaAkyi
jvSor1JP4ODC5RW59Hue1f8=
=8+4g
—–END PGP SIGNATURE—–

A pair of GnuPG keys are needed to sign files digitally. Below, I’ll highlight the choices you made when generating a pair of GnuPG keys only to sign and not to encrypt, using the cygwin port of GnuPG. The entire key-generation session will be appended at the end(Appendix A). A list of best practice recommendations for digital signature security are provided as well.

A GnuPG key pair has two keys, one private and the other public. They are mathematically related, just like asymmetric keys used in other PKI programs. The two keys in a GnuPG key pair are born equal, however. The only difference between a public key and a private key is the designation of purpose and the resultant protection scheme or lack of.  It’s like you have a newborn twin. For no good reason, you name one of the twin brothers Jerry and the other Tom, instead of the other way around. From that point on, you feed and treat them according to their names.  Late comers may come to believe that Tom was born a Tom and Jerry was born a Jerry. That is simply not true. Read the rest of this entry »

I was rather perplexed when I read the latest wordpress 2.1.3 release post. Therein, the dev team reported that they’ve taken the trouble reviewing the code base for security enhancements and whatnot. In an eh-by-the-way style P.S.,  an update was provided for the recent code tainting led by server account compromise. Read the rest of this entry »

A packager could opt to sign a RPM package. If a RPM is signed, the RPM package would contain a digital signature ready to be used to verify the integrity and authenticity of the RPM package. To be effective, the signing should be done by a different user on a separate server and both the signing user account and the signing server are secure. Once such a RPM package is downloaded, you can verify its digital signature using the rpm command itself. The key itself may need to be verified with GnuPG or PGP command.
Read the rest of this entry »

As I commented earlier about the compromised wordpress 2.1.1 release, I have always been surprised and disappointed that many FOSS software distributions don’t provide good means for users to verify the authenticity and integrity of their downloads, not to mention the leading commercial software vendors (hardware platform vendors, OS vendors, and ISV). There are some confusion about the ability and capability of checksum (MD5 or SHA1) and those of digital signatures. Read the rest of this entry »