I recently decided to set up PGP, so I can send and receive encrypted e-mail. Fortunately, Thunderbird has a great extension called Enigmail that lets you to send PGP encrypted e-mails.
As a first step, I decided that I should verify that the Enigmail download was actually legitimate! It wouldn't do me any good to install Enigmail if it had been tampered with, which could leak my private PGP key.
To verify a signature file, you will use GnuPG. It was already installed on my Ubuntu machine, so I was ready to go. If you're running Windows or OS X, you can check Enigmail's getting started article to get GPG running.
Enigmail had the signature file available to download, right below the normal download link:
enigmail-1.8.2-tb+sm.xpi.asc (signature file)
Now that we have our file and our signature, let's try validating it:
$ gpg --verify enigmail-1.8.2-tb+sm.xpi.asc enigmail-1.8.2-tb+sm.xpi gpg: Signature made Thu 16 Apr 2015 11:58:24 AM EDT using RSA key ID DD5F693B gpg: Can't check signature: public key not found
That wasn't what I had hoped to see.
After a bit of reading, I figured out that I couldn't validate the signature without Enigmail's PGP public key. After tracking down their public key page, I copy/pasted the v1.8 key into a new file,
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFS6eEEBEAC56tAm82tgg5BJE0dA4c5UNUDQ7SKLIsleh7TrwsKocEp1b34E .......WALL OF TEXT........ =ueNL -----END PGP PUBLIC KEY BLOCK-----
Importing a public key
Just downloading the public key doesn't do you much good, though. You have to import it into your
gpg list. You can see your current keys by running
$ gpg --list-keys /home/mhughes/.gnupg/pubring.gpg -------------------------------- pub 4096R/E57B6B46 2015-02-06 [expires: 2020-02-05] uid Matt Hughes <email@example.com> sub 4096R/A7FAFCD5 2015-02-06 [expires: 2020-02-05]
Import the new public key using
gpg --import enigmail.asc.
$ gpg --import enigmail.asc gpg: key DD5F693B: public key "Patrick Brunschwig <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2020-02-05
You can see the new key by running
gpg --list-keys again:
$ gpg --list-keys /home/mhughes/.gnupg/pubring.gpg -------------------------------- pub 4096R/E57B6B46 2015-02-06 [expires: 2020-02-05] uid Matt Hughes <email@example.com> sub 4096R/A7FAFCD5 2015-02-06 [expires: 2020-02-05] pub 4096R/DD5F693B 2015-01-17 [expires: 2025-01-14] uid Patrick Brunschwig <firstname.lastname@example.org> uid Patrick Brunschwig <email@example.com> uid [jpeg image of size 13251] sub 4096R/4E4953D8 2015-01-17 [expires: 2018-01-16]
Verify the signature
Now that you've imported Enigmail's public key, you can verify the xpi file's signature.
$ gpg --verify enigmail-1.8.2-tb+sm.xpi.asc enigmail-1.8.2-tb+sm.xpi gpg: Signature made Thu 16 Apr 2015 11:58:24 AM EDT using RSA key ID DD5F693B gpg: Good signature from "Patrick Brunschwig <firstname.lastname@example.org>" gpg: aka "Patrick Brunschwig <email@example.com>" gpg: aka "[jpeg image of size 13251]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B
You can safely ignore the trusted signature warning in this case. It just means that the public key you imported wasn't signed by a trusted public key. For more details, check the GnuPG documentation on validating public keys.
- Download the signature file for the file in question
- Find and import the public key for the file's publisher or maintainer:
gpg --import public-key.asc
- Verify the file's signature against the publisher's public key:
gpg --verify file.ext.asc file.ext
- Feel nice from knowing you're running a legitimate release of your software