Menu
Search

Forums

Forum Index

Thread overview
dmd download sig file, how do I use it
Mar 25, 2018
Ali
Mar 25, 2018
Seb
Mar 25, 2018
Ali
Mar 25, 2018
Seb
March 25, 2018
Gravatar of AliPosted by AliReply
Ali
Gravatar of Ali


Reply
Hi All,

The DMD download is accompanied with a sig file
How exactly do I use this sig file
I am assuming I can use it in place of checksum to verify the download

And to be honest, I have almost zero knowledge for gpg and encryption
I googled a little but, didnt exactly find what I was hoping to find

I tried the following command
> gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.deb

which returns

 gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
 gpg:                using RSA key B273811612BB1939
 gpg: Can't check signature: No public key


I guess this means, the file is not verified
So how can I do a complete verification?

I also downloaded the keryring file, from link in the download page
but also couldnt figure out how to use it

Any explanation of how this gpg sig key works and how to use it to verify the download
would be appreciated

thanks
March 25, 2018
Gravatar of SebPosted by Seb
in reply to Ali		Reply
Seb
Gravatar of Seb
Posted in reply to Ali


Reply
On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote:
> Hi All,
>
> The DMD download is accompanied with a sig file
> How exactly do I use this sig file
> I am assuming I can use it in place of checksum to verify the download
>
> And to be honest, I have almost zero knowledge for gpg and encryption
> I googled a little but, didnt exactly find what I was hoping to find
>
> I tried the following command
>> gpg --verify dmd_2.079.0-0_amd64.deb.sig dmd_2.079.0-0_amd64.deb
>
> which returns
>
>  gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
>  gpg:                using RSA key B273811612BB1939
>  gpg: Can't check signature: No public key
>
>
> I guess this means, the file is not verified
> So how can I do a complete verification?
>
> I also downloaded the keryring file, from link in the download page
> but also couldnt figure out how to use it
>
> Any explanation of how this gpg sig key works and how to use it to verify the download
> would be appreciated
>
> thanks

The official install script takes care of this automatically:

https://dlang.org/install.html

If you want to do this manually, you need to grab the D keyring from here:

https://dlang.org/gpg_keys.html

And here's how you would verify the signature automatically like e.g.

gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz

It's also possible to permanently add this keyring to your installation with e.g. gpg --import ~/dlang/d-keyring.gpg

(Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)
March 25, 2018
Gravatar of AliPosted by Ali
in reply to Seb		Reply
Ali
Gravatar of Ali
Posted in reply to Seb


Reply
On Sunday, 25 March 2018 at 04:01:28 UTC, Seb wrote:
> gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz

Thanks, I guess this kinda works
I am now getting

 gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
 gpg:                using RSA key B273811612BB1939
 gpg: Good signature from "Martin Nowak <martin.nowak@plugintheworld.com>" [expired]
 gpg:                 aka "Martin Nowak (dawg) <me@dawg.eu>" [expired]
 gpg:                 aka "Martin Nowak <code@dawg.eu>" [expired]
 gpg: Note: This key has expired!
 Primary key fingerprint: AFC7 DB45 693D 62BB 472B  F27B AB8F E924 C2F7 E724
      Subkey fingerprint: A734 4DAD 3C34 1EA1 2D13  C4E6 B273 8116 12BB 1939

The command is a bit tricky, originally i kept trying the command with only the keyring file name, which didnt work, it needed the path

> (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)

while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download
March 25, 2018
Gravatar of SebPosted by Seb
in reply to Ali		Reply
Seb
Gravatar of Seb
Posted in reply to Ali


Reply
On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote:
>> (Note: the individual keys in the keyring are currently expired and we are working on rolling out a new keyring, but that doesn't affect yverifying the existing signatures.)
>
> while you are at it, also add a sha1 or a sh256 checksum, i think it will work better to verify the download

Sha1 or sha256 can't be verified automatically, because it requires you to download the checksum from the same source.
They can be used if you have checked the authenticity in another way, but if dlang.org is compromised the attacker would also change the checksums, but he can't change your local, verified keyring.

For this reason, it's common for Linux distro to sign their packages:

https://wiki.archlinux.org/index.php/Pacman/Package_signing
https://wiki.debian.org/SecureApt