Matt Hughes i like to grow tiny trees and tinker on stuff

Verifying a file by its signature with GnuPG

I recently decided to set up PGP, so I can send and receive encrypted e-mail. Fortunately, Thunderbird has a great extension called Enigmail that lets you to send PGP encrypted e-mails.

As a first step, I decided that I should verify that the Enigmail download was actually legitimate! It wouldn't do me any good to install Enigmail if it had been tampered with, which could leak my private PGP key.

To verify a signature file, you will use GnuPG. It was already installed on my Ubuntu machine, so I was ready to go. If you're running Windows or OS X, you can check Enigmail's getting started article to get GPG running.

Enigmail had the signature file available to download, right below the normal download link:
enigmail-1.8.2-tb+sm.xpi
enigmail-1.8.2-tb+sm.xpi.asc (signature file)

Now that we have our file and our signature, let's try validating it:

$ gpg --verify enigmail-1.8.2-tb+sm.xpi.asc enigmail-1.8.2-tb+sm.xpi

gpg: Signature made Thu 16 Apr 2015 11:58:24 AM EDT using RSA key ID DD5F693B
gpg: Can't check signature: public key not found

That wasn't what I had hoped to see.

After a bit of reading, I figured out that I couldn't validate the signature without Enigmail's PGP public key. After tracking down their public key page, I copy/pasted the v1.8 key into a new file, enigmail.asc.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFS6eEEBEAC56tAm82tgg5BJE0dA4c5UNUDQ7SKLIsleh7TrwsKocEp1b34E
.......WALL OF TEXT........
=ueNL
-----END PGP PUBLIC KEY BLOCK-----

Importing a public key

Just downloading the public key doesn't do you much good, though. You have to import it into your gpg list. You can see your current keys by running gpg --list-keys.

$ gpg --list-keys
/home/mhughes/.gnupg/pubring.gpg
--------------------------------
pub   4096R/E57B6B46 2015-02-06 [expires: 2020-02-05]
uid                  Matt Hughes <matthughes.tech@gmail.com>
sub   4096R/A7FAFCD5 2015-02-06 [expires: 2020-02-05]

Import the new public key using gpg --import enigmail.asc.

$ gpg --import enigmail.asc 
gpg: key DD5F693B: public key "Patrick Brunschwig <patrick@enigmail.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-02-05

You can see the new key by running gpg --list-keys again:

$ gpg --list-keys
/home/mhughes/.gnupg/pubring.gpg
--------------------------------
pub   4096R/E57B6B46 2015-02-06 [expires: 2020-02-05]
uid                  Matt Hughes <matthughes.tech@gmail.com>
sub   4096R/A7FAFCD5 2015-02-06 [expires: 2020-02-05]

pub   4096R/DD5F693B 2015-01-17 [expires: 2025-01-14]
uid                  Patrick Brunschwig <patrick@enigmail.net>
uid                  Patrick Brunschwig <patrick@brunschwig.net>
uid                  [jpeg image of size 13251]
sub   4096R/4E4953D8 2015-01-17 [expires: 2018-01-16]

Verify the signature

Now that you've imported Enigmail's public key, you can verify the xpi file's signature.

$ gpg --verify enigmail-1.8.2-tb+sm.xpi.asc enigmail-1.8.2-tb+sm.xpi

gpg: Signature made Thu 16 Apr 2015 11:58:24 AM EDT using RSA key ID DD5F693B
gpg: Good signature from "Patrick Brunschwig <patrick@enigmail.net>"
gpg:                 aka "Patrick Brunschwig <patrick@brunschwig.net>"
gpg:                 aka "[jpeg image of size 13251]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4F9F 89F5 505A C1D1 A260  631C DB11 87B9 DD5F 693B

You can safely ignore the trusted signature warning in this case. It just means that the public key you imported wasn't signed by a trusted public key. For more details, check the GnuPG documentation on validating public keys.

Quick summary

  1. Download the signature file for the file in question
  2. Find and import the public key for the file's publisher or maintainer: gpg --import public-key.asc
  3. Verify the file's signature against the publisher's public key: gpg --verify file.ext.asc file.ext
  4. Feel nice from knowing you're running a legitimate release of your software