Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    How do you verify signatures?


    For context, I need to verify Qubes-OS. Link: https://www.qubes-os.org/security/verifying-signatures/

    I've been using Linux for 2 years now but I still don't know how a signature is verified from the command line.

    1) THE THEORY: I think I understand how signatures are verified via This link. It also provides a decent explanation of public-private key encryption.

    So currently from my understanding, a company/group of devs would encrypt a hash of the original file with their private key; the result is the signature. Users who download it will be able to decrypt the signature with the company's public key; the result is the original hash. The user then hashes the received file and compares the received hash with the original hash. Is this correct?

    2) How is this done from the command line? Can someone please explain or link to a decent article you may know of? I can't find one that actually explains this nicely and am currently just getting confused. I have looked up a number of vids and articles online but I still can't for the life of me figure this out.

    Some methods for some Linux ISOs/downloads involve .sig files and some involve .PGP files. My case features a PGP file.

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    4,087
    -->
    1) yes, this is the correct approach, although there is a little more to it than that, as you would need to ensure the public key you're using to decrypt the signature does indeed represent the person or entity you expect - this is done using the same signature checking method on their public key. Briefly speaking the public key is wrapped in a certificate - which at it simplest is a public key with signature signed by a trusted 3rd party (e.g. a certificate authority).

    Here's the way:

    * calculate the hash, sometimes called the digest, of the stuff that is signed - take into account the hash method used, the message or signature may well state this somewhere.
    * get the owners certificate and validate that is trusted by checking its signature, the certificate that was used to sign this certificate may itself need verifying by calculating its hash and comparing to the one in the signature attached to the cert. Repeat all the way back up the cert chain until you reach a trusted root certificate
    * use the owner's certificate (public key) and use it to decrypt the provided signature and reveal the original hash/digest
    * compare the two hashes, if they're different the stuff that was signed has been tampered with.

    2) There is some openssl command line help here:
    https://sandilands.info/sgordon/simp...n-command-line
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •