Use gpg for secure signature to verify whether the downloaded file is complete

Source: Internet
Author: User
Tags gnupg mediawiki

/*************************************** ******************************
* Author: Samson
* Date: 04/04/2014
* Test platform:
* Linux ubuntu 3.2.0-58-generic-pae
* GNU bash, version 4.2.39
**************************************** ****************************/


What is a digital signature?

Digital signature is a digital string that can only be forged by the sender of information. This digital string is also a valid proof of the authenticity of the information sent by the sender. Digital signature is an application of asymmetric key encryption technology and digital digest technology.

What are the main functions?

It ensures the integrity of information transmission, the sender's identity authentication, and prevents the occurrence of credit in transactions. The digital signature technology encrypts the abstract information with the sender's private key and sends it to the receiver together with the original text. Only the sender's public key can be used by the receiver to decrypt the encrypted digest information. Then, the HASH function is used to generate a digest information for the received original text, which is compared with the decrypted digest information. If the information is the same, it indicates that the received information is complete and has not been modified during transmission. Otherwise, it indicates that the information has been modified. Therefore, the digital signature can verify the integrity of the information. Digital signature is an encryption process, and digital signature verification is a decryption process.

The following example shows how to verify the signature to ensure that the downloaded file has not been modified, prevent the package from being modified by a non-author and then replayed (the above article can be large, you know :_()

How to use gpg for secure signature to verify whether the downloaded file is complete? Take mediawiki as an example:

First, go to mediawiki official web download:

Mediawiki-1.22.5.tar.gz

Obtain the signature file of the previous version, and then obtain the pubkey. the retrieval points on the webpage are as follows:


Get MediaWiki 1.22.5 GPG secure signature file: mediawiki-1.22.5.tar.gz.sig

The public key of the uploaded MediaWiki GPG must be saved to the pubkeyfile and saved to the mediawiki_pubkey.txt file;

Import the public key to the current system:

Fuckids @ debian-IDS :~ /Wiki $ gpg -- import mediawiki_pubkey.txt
Gpg:/home/fuckids/. gnupg/trustdb. gpg: trustdb created
Gpg: key 7F901A30: public key "Mark A. Hershberger <mah@everybody.org>" imported
Gpg: Total number processed: 1
Gpg: imported: 1 (RSA: 1)
Gpg: no ultimately trusted keys found


// List the current public key and check whether the import is successful
Fuckids @ debian-IDS :~ /Wiki $ gpg-k
/Home/fuckids/. gnupg/pubring. gpg
--------------------------------
Pub 2048R/7F901A30 2009-07-01 [expires: 2019-06-29]
Uid Mark A. Hershberger <mah@everybody.org>
Sub 2048R/84896BEA 2009-07-01 [expires: 2019-06-29]

// Use the signature file to verify the downloaded file:

Fuckids @ debian-IDS :~ /Wiki $ gpg -- verify mediawiki-1.22.5.tar.gz.sig mediawiki-1.22.5.tar.gz
Gpg: Signature made Fri 28 Mar 2014 08:21:11 am cst using RSA key ID 7F901A30
Gpg: Good signature from "Mark A. Hershberger <mah@everybody.org>"
Gpg: WARNING: This key is not certified with a trusted signature!
Gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3CEF 8262 806D 3F0B 6BA1 DBDD 7956 EE47 7F90 1A30

Gpg: Good signature from "Mark A. Hershberger <mah@everybody.org>" indicates that the signature file is correct, indicating that the downloaded package has not been modified in the middle;


For more information about gpg, see:

Http://www.gnupg.org

Http://www.ruanyifeng.com/blog/2013/07/gpg.html

Http://hi.baidu.com/hs_fish/item/8eb09d0b1bab79006c9048c9

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.