Use gpg for secure signature to verify whether the downloaded file is complete

/*************************************** ******************************
* Author: Samson
* Date: 04/04/2014
* Test platform:
* Linux ubuntu 3.2.0-58-generic-pae
* GNU bash, version 4.2.39
**************************************** ****************************/

What is a digital signature?

Digital signature is a digital string that can only be forged by the sender of information. This digital string is also a valid proof of the authenticity of the information sent by the sender. Digital signature is an application of asymmetric key encryption technology and digital digest technology.

What are the main functions?

It ensures the integrity of information transmission, the sender's identity authentication, and prevents the occurrence of credit in transactions. The digital signature technology encrypts the abstract information with the sender's private key and sends it to the receiver together with the original text. Only the sender's public key can be used by the receiver to decrypt the encrypted digest information. Then, the HASH function is used to generate a digest information for the received original text, which is compared with the decrypted digest information. If the information is the same, it indicates that the received information is complete and has not been modified during transmission. Otherwise, it indicates that the information has been modified. Therefore, the digital signature can verify the integrity of the information. Digital signature is an encryption process, and digital signature verification is a decryption process.

The following example shows how to verify the signature to ensure that the downloaded file has not been modified, prevent the package from being modified by a non-author and then replayed (the above article can be large, you know :_()

How to use gpg for secure signature to verify whether the downloaded file is complete? Take mediawiki as an example:

First, go to mediawiki official web download:

Mediawiki-1.22.5.tar.gz

Obtain the signature file of the previous version, and then obtain the pubkey. the retrieval points on the webpage are as follows:

Get MediaWiki 1.22.5 GPG secure signature file: mediawiki-1.22.5.tar.gz.sig

The public key of the uploaded MediaWiki GPG must be saved to the pubkeyfile and saved to the mediawiki_pubkey.txt file;

Import the public key to the current system:

Fuckids @ debian-IDS :~ /Wiki $ gpg -- import mediawiki_pubkey.txt
Gpg:/home/fuckids/. gnupg/trustdb. gpg: trustdb created
Gpg: key 7F901A30: public key "Mark A. Hershberger <mah@everybody.org>" imported
Gpg: Total number processed: 1
Gpg: imported: 1 (RSA: 1)
Gpg: no ultimately trusted keys found

// List the current public key and check whether the import is successful
Fuckids @ debian-IDS :~ /Wiki $ gpg-k
/Home/fuckids/. gnupg/pubring. gpg
--------------------------------
Pub 2048R/7F901A30 2009-07-01 [expires: 2019-06-29]
Uid Mark A. Hershberger <mah@everybody.org>
Sub 2048R/84896BEA 2009-07-01 [expires: 2019-06-29]

// Use the signature file to verify the downloaded file:

Fuckids @ debian-IDS :~ /Wiki $ gpg -- verify mediawiki-1.22.5.tar.gz.sig mediawiki-1.22.5.tar.gz
Gpg: Signature made Fri 28 Mar 2014 08:21:11 am cst using RSA key ID 7F901A30
Gpg: Good signature from "Mark A. Hershberger <mah@everybody.org>"
Gpg: WARNING: This key is not certified with a trusted signature!
Gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3CEF 8262 806D 3F0B 6BA1 DBDD 7956 EE47 7F90 1A30

Gpg: Good signature from "Mark A. Hershberger <mah@everybody.org>" indicates that the signature file is correct, indicating that the downloaded package has not been modified in the middle;

For more information about gpg, see:

Http://www.gnupg.org

Http://www.ruanyifeng.com/blog/2013/07/gpg.html

Http://hi.baidu.com/hs_fish/item/8eb09d0b1bab79006c9048c9