Validate PGP Signatures

The files can be signed with PGP to guarantee the integrity.

In this example we try to validate hadoop software from apache fundation.

- first we get the file with the public key

subzero@vm-254:~$ wget http://apache.promotionalpromos.com/hadoop/core/KEYS


- after that we import the keys in our PGP database

subzero@vm-254:~$ gpg --import KEYS
gpg: /home/subzero/.gnupg/trustdb.gpg: trustdb created
gpg: key A7239D59: public key "Doug Cutting (Lucene guy) <cutting@apache.org>" imported
gpg: key BB46A08C: public key "Tom White (CODE SIGNING KEY) <tomwhite@apache.org>" imported
gpg: key B8F47547: public key "Nigel Daley (QA Guy) <nigel@apache.org>" imported
gpg: key AC487ADC: public key "Owen O'Malley (CODE SIGNING) <omalley@apache.org>" imported
gpg: key 4318F669: public key "Tom White (CODE SIGNING KEY) <tomwhite@apache.org>" imported
gpg: Total number processed: 5
gpg: imported: 5

- next we try to check the integrity of our PGP signed file

subzero@vm-254:~$ gpg --verify hadoop-0.20.1.tar.gz.asc
gpg: Signature made Tue 01 Sep 2009 02:07:16 PM MST using DSA key ID AC487ADC
gpg: Good signature from "Owen O'Malley (CODE SIGNING) <omalley@apache.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0861 7DBF 3BC6 5888 9E7D 50E9 3D77 7820 AC48 7ADC


Done.

Currently unrated

Comments