Verifying detached GPG signature in Linux

It is very important to spend a little time to verify that a downloaded file is actually what the website described, to minimise the risk of man in the middle attacks or downloading a fraudulent file.

In most of the cases, the GPG signature is used for this security measure, which is based in the asymmetric encryption paradigm. You might want to learn more about in the following post: Encrypt or Digitally Sign With OpenSSL using Asymmetric Keys

The process is outlined as the following:

Download the public key from the website and import it
Download the intended file and the detached signature “.sig” or “.asc” file
Verify the downloaded file

In order to explain the use case, the ClamAV web page will be used as the example to verify the GPG signature.

Download the public key from the website

First of all, you’ll need to download the public key from the website. To do so, go to the URL ClamAV Download section, expand the “Talos PGP Public Key” and copy the text section from “—–BEGIN PGP PUBLIC KEY BLOCK—–” to “—–END PGP PUBLIC KEY BLOCK—“

Downloading the PGP public key from ClamAV

Then, paste it as is in a file on your system by using vim or nano and save it. In this example, the file was saved as clamav.key.:

Pasting the content of the PGP public key on a file using vim

Next, to import this key file, you need to run the following command:

$ gpg --import clamav.key

The result will look similar to the following input:

$ gpg --import clamav.key 
gpg: directory `/home/fse/.gnupg' created
gpg: new configuration file `/home/fse/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/fse/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/fse/.gnupg/secring.gpg' created
gpg: keyring `/home/fse/.gnupg/pubring.gpg' created
gpg: /home/fse/.gnupg/trustdb.gpg: trustdb created
gpg: key 2B3EDD07: public key "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

Download the intended file and the detached signature “.sig” or “.asc” file

After importing the ClamAV key, proceed to download the file you’re looking for and the corresponding signature file. In this case, both files are named:

clamav-0.105.1.linux.x86_64.rpm
clamav-0.105.1.linux.x86_64.rpm.sig

Normally, the signature file has the same name as the original file but with “.asc” or “.sig” appended.

Download section from clamav where you can find the files and its signatures

Execute the next commands to download both files:

$ wget -q https://www.clamav.net/downloads/production/clamav-0.105.1.linux.x86_64.rpm
$ wget -q https://www.clamav.net/downloads/production/clamav-0.105.1.linux.x86_64.rpm.sig

Downloading the desired clamav rpm file and the signature file sig

Verify the downloaded file’s signature

Once you have all the files in place and the PGP key imported, proceed with the following command to perform the verification:

$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm

If you get the message “Good signature from …” then the file was not tampered:

$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
gpg: Signature made Tue 26 Jul 2022 10:26:17 AM CEST using RSA key ID 2B3EDD07
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E34D B95B 374B 3157 0496  CD3F 609B 024F 2B3E DD07

Let’s manually manipulate the downloaded rpm file to force the negative message and perform again the verification:

$ echo a >> clamav-0.105.1.linux.x86_64.rpm
$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm

After the above commands, the message obtained should be “BAD signature from …“:

$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
gpg: Signature made Tue 26 Jul 2022 10:26:17 AM CEST using RSA key ID 2B3EDD07
gpg: BAD signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>"

Here’s the image from the 2 verification attempts:

Positive and negative signature verification test example

To conclude

By doing this verification from the downloaded files, you ensure that the file has preserved its integrity before executing it in your system, to avoid tampered files that could run fraudulent software made by malicious actors.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Download the public key from the website

Download the intended file and the detached signature “.sig” or “.asc” file

Verify the downloaded file’s signature

To conclude

Related Posts

Passive Network Scanning With smap an Alternate Tool Powered With shodan.io

How to use sslyze to assess your web server HTTPS TLS?

How to use YARA to detect Malware