KBTAG: kben10000080
URL: http://www.securityportal.com/lskb/10000050/kben10000080.html
Date created: 17/07/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Verifying software and data packages
Keywords: Software
Verifying software and data packages
Many tarballs are distributed with PGP signatures in separate ASCII files, to verify them add the developers key to your key ring and then use PGP with the o option. This way to trojan a package and sign it correctly, they would have to steal the developers private PGP key and the password to unlock it, which should be near impossible. PGP for Linux is available from: ftp://ftp.zedz.net/.
Also used is GnuPG, a completely open source version of PGP that uses no patented algorithms. You can get it from: http://www.gnupg.org/.
Another way of signing a package is to create an MD5 checksum. The reason MD5 would be used at all (since anyone could create a valid MD5 signature of a trojaned software package) is that MD5 is pretty much universal and not controlled by export laws. The weakness is you must somehow distribute the MD5 signatures in advance securely, and this is usually done via email when a package is announced (vendors such as Sun do this for patches).