How to use GPG to verify signed content from Product Security

Updated -

Content produced by Red Hat Product Security may be cryptographically signed. For vulnerability detection scripts and other content we use GnuPG to create a detached signature of the file.

GnuPG produces a type of one-way hash for the signed file using a Red Hat Product Security private key. Everyone can download an accompanying public key and verify the authenticity of the signed file.

To perform the verification, you need the following:

  • Signed file – for example, a vulnerability detection script
  • Detached signature – accompanying file with “.asc” extension
  • Public key – downloaded from a key server

Downloading the public key

The following commands can be used to perform the verification:

When not using a proxy server:

$ gpg --keyserver pgp.mit.edu --recv 7514F77D8366B0D9

When using a proxy server:

$ gpg2 --keyserver pgp.mit.edu --keyserver-options http-proxy=<proxy_address>:<proxy_port> --search-keys 7514F77D8366B0D9

Example:

$ gpg2 --keyserver pgp.mit.edu --keyserver-options http-proxy=192.168.1.100:8080 --search-keys 7514F77D8366B0D9

If you have trouble contacting the pgp.mit.edu keyserver, you may try different one, such as: keys.gnupg.net or hkps.pool.sks-keyservers.net.

Verifying the Content

Using the key that you just downloaded, you can now verify the signed file you have downloaded from Red Hat.

$ gpg --verify <signature file> <signed file>

Example:

$ gpg --verify spectre-meltdown.sh.asc spectre-meltdown.sh

If the script is authentic you should see output similar to this:

gpg: Signature made Sat 01 Aug 2020 01:53:27 PM CEST
gpg:                using RSA key 7514F77D8366B0D9
gpg: Good signature from "Red Hat, Inc. (tools key) <secalert@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8B12 20FC 564E 9583 2002  05FF 7514 F77D 8366 B0D9

Also the return value from gpg command is 0.

Failed check looks similar to this:

gpg: Signature made Wed 29 Jul 2020 06:13:52 PM CEST
gpg:                using RSA key 7514F77D8366B0D9
gpg: BAD signature from "Red Hat, Inc. (tools key) <secalert@redhat.com>" [unknown]

Also the return value from gpg command is not 0.

If you do not see “Good signature” then the check failed. The “WARNING” part of the output is expected and for this usage is of no concern.