O'Reilly : Linux Security Cookbook by By

Author:By
Language: eng
Format: epub
ISBN: 0-596-00391-9
Publisher: O'Reilly
Published: 2011-10-03T17:01:59.014128+00:00

7.21.3 Discussion

Importing a key does not verify its validity—it does not verify that the claimed binding between a user identity (name, email address, etc.) and the public key is legitimate. For example, if you use gpg —verify to check the signature of a key imported from a keyserver, GnuPG may still produce the following warning, even if the signature itself is good:

gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

A keyserver does absolutely nothing to assure the ownership of keys. Anyone can add a key to a keyserver, at any time, with any name whatsoever. A keyserver is only a convenient way to share keys and their associated certificates; all responsibility for checking keys against identities rests with you, the GnuPG user, employing the normal GnuPG web-of-trust techniques. To trust a given key K, either you must trust K directly, or you must trust another key which has signed K, and thus whose owner (recursively) trusts K.

The ultimate way to verify a key is to check its fingerprint with the key owner directly. [Recipe 7.9] If you need to verify a key and do not have a chain of previously verified and trusted keys leading to it, then anything you do to verify it involving only computers has some degree of uncertainty; it's just a question of how paranoid you are and how sure you want to be.

This situation comes up often when verifying signatures on downloaded software. [Recipe 7.15] You should always verify such signatures, since servers do get hacked and Trojan horses do get planted in commonly-used software packages. A server that contains some software (foo.tar.gz) and a signature (commonly foo.tar.gz.asc or foo.tar.gz.sig) should also have somewhere on it the public key used to generate the signature. If you have not previously obtained and verified this key, download it now and add it to your keyring. [Recipe 7.10] If the key is signed by other keys you already trust, you're set. If not, don't trust it simply because it came from the same server as the software! If the server were compromised and software modified, a savvy attacker would also have replaced the public key and generated new, valid signatures using that key. In this case, it is wise to check the key against as many other sources as possible. For instance:

Check the key fingerprint against copies of the key stored elsewhere. [Recipe 7.9]

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.