How to use GPG to secure signatures to verify the integrity of a download file

What is a digital signature?

Digital signature, is only the sender of information can produce a number of people can not forge a digital string, which is also the sender of information to send information authenticity of a valid proof.

Digital Signature asymmetric key encryption technology and digital Digest technology application.

What are the main functions?

To ensure the integrity of information transmission, the identity of the sender authentication, to prevent the occurrence of repudiation in the transaction.

The digital signature technique is to encrypt the digest information with the sender's private key and transmit it to the receiver together with the original. The receiver only uses the sender's public key to decrypt the encrypted digest information, and then uses the hash function to produce a summary information to the original text, which is compared with the decrypted digest information. If the same is true, the information received is complete and is not modified during transmission, otherwise the information is modified, so digital signatures can verify the integrity of the information.

Digital signature is a process of encryption, and digital signature verification is a process of decryption.

Here is an example to illustrate how to verify the signature, to ensure that the downloaded file is not modified, to prevent being modified by a non-author after the package (this article can be big, you know: _ ()

How to use GPG for security signing to verify that the downloaded file is complete, taking MediaWiki as an example:

First, to the MediaWiki official Web download:

Mediawiki-1.22.5.tar.gz

Then get the previous version of the signature file, and then get PubKey, the page on the access point to the following figure:

Get MediaWiki 1.22.5 gpg secure signature file: Mediawiki-1.22.5.tar.gz.sig

The public key of the MediaWiki gpg of the above figure is obtained PubKey file and saved to the file mediawiki_pubkey.txt;

Import the public key into the current system:

fuckids@debian-ids:~/wiki$ GPG--import Mediawiki_pubkey.txt

GPG:/home/fuckids/.gnupg/trustdb.gpg:trustdb Created

Gpg:key 7f901a30:public Key "Mark A. Hershberger <mah@everybody.org>" Imported

Gpg:total number Processed:1

Gpg:imported:1 (rsa:1)

Gpg:no ultimately trusted keys found

Lists the current public key to check whether the import was successful

fuckids@debian-ids:~/wiki$ gpg-k

/home/fuckids/.gnupg/pubring.gpg

--------------------------------

Pub 2048r/7f901a30 2009-07-01 [expires:2019-06-29]

UID Mark A. Hershberger <mah@everybody.org>

Sub 2048r/84896bea 2009-07-01 [expires:2019-06-29]

To verify the downloaded file by using a signature file:

fuckids@debian-ids:~/wiki$ GPG--verify Mediawiki-1.22.5.tar.gz.sig mediawiki-1.22.5.tar.gz

Gpg:signature made Fri 2014 08:21:11 AM CST using RSA key ID 7f901a30

Gpg:good signature from "Mark A. Hershberger <mah@everybody.org>"

Gpg:WARNING:This key isn't certified with a trusted signature!

Gpg:there is no indication this signature belongs to the owner.

Primary key Fingerprint:3cef 8262 806D 3f0b 6ba1 dbdd 7956 EE47 7f90 1A30

Where Gpg:good signature from "Mark A. Hershberger <mah@everybody.org>" indicates that the signature file is correct, indicating that the downloaded package has not been modified in the middle;

Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/extra/