How to use GPG to verify signed content from Product Security
Content produced by Red Hat Product Security may be cryptographically signed. For vulnerability detection scripts and other content we use GnuPG to create a detached signature of the file.
GnuPG produces a type of one-way hash for the signed file using a Red Hat Product Security private key. Everyone can download an accompanying public key and verify the authenticity of the signed file.
To perform the verification, you need the following:
- Signed file – for example, a vulnerability detection script
- Detached signature – accompanying file with “.asc” extension
- Public key – downloaded from a key server
Downloading the public key
The following commands can be used to perform the verification:
When not using a proxy server:
$ gpg --keyserver pgp.mit.edu --recv 7514F77D8366B0D9
When using a proxy server:
$ gpg2 --keyserver pgp.mit.edu --keyserver-options http-proxy=<proxy_address>:<proxy_port> --search-keys 7514F77D8366B0D9
Example:
$ gpg2 --keyserver pgp.mit.edu --keyserver-options http-proxy=192.168.1.100:8080 --search-keys 7514F77D8366B0D9
If you have trouble contacting the pgp.mit.edu keyserver, you may try different one, such as: keys.gnupg.net or hkps.pool.sks-keyservers.net.
Verifying the Content
Using the key that you just downloaded, you can now verify the signed file you have downloaded from Red Hat.
$ gpg --verify <signature file> <signed file>
Example:
$ gpg --verify spectre-meltdown.sh.asc spectre-meltdown.sh
If the script is authentic you should see output similar to this:
gpg: Signature made Sat 01 Aug 2020 01:53:27 PM CEST
gpg: using RSA key 7514F77D8366B0D9
gpg: Good signature from "Red Hat, Inc. (tools key) <secalert@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8B12 20FC 564E 9583 2002 05FF 7514 F77D 8366 B0D9
Also the return value from gpg command is 0.
Failed check looks similar to this:
gpg: Signature made Wed 29 Jul 2020 06:13:52 PM CEST
gpg: using RSA key 7514F77D8366B0D9
gpg: BAD signature from "Red Hat, Inc. (tools key) <secalert@redhat.com>" [unknown]
Also the return value from gpg command is not 0.
If you do not see “Good signature” then the check failed. The “WARNING” part of the output is expected and for this usage is of no concern.
Comments