Hello!
Wanted to verify sha256 hashes with provided signature file.
Where do I get the public key for gpg verification?
The latest release (version 3.1.0) of the Exercism CLI is signed with Katrina’s key: 816A8B8E703E53110F1D0FBBE8761A9E46258B62.
I already had the key on my machine, but it looks like it’s available on keys.openpgp.org.
If we run this script:
#!/usr/bin/env bash
set -e
tmp_dir='exercism-cli-tmp'
mkdir -p "${tmp_dir}"
cd "${tmp_dir}"
url_base='https://github.com/exercism/cli/releases/download/v3.1.0'
echo "Downloading assets..."
curl -sSfLO "${url_base}/exercism-3.1.0-linux-x86_64.tar.gz"
curl -sSfLO "${url_base}/exercism_checksums.txt.sig"
curl -sSfLO "${url_base}/exercism_checksums.txt"
echo "Checking checksums..."
sha256sum -c --ignore-missing exercism_checksums.txt
echo "Checking signature..."
gpg --keyserver hkps://keys.openpgp.org --recv-keys 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg --verify --verbose exercism_checksums.txt.sig
The output is:
Downloading assets...
Checking checksums...
exercism-3.1.0-linux-x86_64.tar.gz: OK
Checking signature...
gpg: key E8761A9E46258B62: "Katrina Owen <katrina.owen@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: assuming signed data in 'exercism_checksums.txt'
gpg: Signature made Tue 04 Oct 2022 11:29:59 CEST
gpg: using RSA key 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg: using pgp trust model
gpg: Good signature from "Katrina Owen <katrina.owen@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 816A 8B8E 703E 5311 0F1D 0FBB E876 1A9E 4625 8B62
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
Does that help?
Thank you for the thorough reply!!
Though I have done it multiple times, it shows that without the specific instructions I am unable to do the whole verification and checksum checking thing.
Taken from your script:
sha256sum -c --ignore-missing exercism_checksums.txt
gpg --keyserver hkps://keys.openpgp.org --recv-keys 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg --verify --verbose exercism_checksums.txt.sig
I personally prefer people being told what they need to enter instead of giving the the script they might not understand what it is doing or even not care. Other than that, it is a very nice script which handles everything from downloading the 3.1.0 version of the program (and temp folder creation, which is not necessary but still neat) to checking it’s integrity with checksum and testing if the checksums are created by the right people.
Probably I should suggest somewhere visible to Github repo owners that the verifying the signature and checksum checking should be always done.
It is a very good practice to do that - I think the download instructions should encourage it (with explanation, why this is necessary). At least for doing exercism locally on linux or on WSL in Windows.
Also thank you @kotp for linking the location of the key on GitHub. Wouldn’t be able to find it myself.
Always care about what scripts are doing that are given, just as you are caring about signed packages and checksums.
That said, it may be that the documentation has some room for improvement.
I am glad that that you found a solution, though.
1 Like
For anyone trying to verify the checksums today, neither of the keys at this link are used to sign the checksum. They have the following fingerprints:
219C 79B7 78C3 59D6 475E 59DA 3135 6098 D114 0CE6C40B 6E4C 355F 17D6 5571 AF8D A2C5 A7CA 5A4A 075C
Whereas the checksums are signed by (at least in 3.2.0) a key with fingerprint 934B 99B8 2DDF 42F6 0F37 DB26 6B2C 6581 BC40 38A8.
I was unable to find this key on keys.openpgp.org.
@kytrinyx do you know who signed the latest (3.2.0) exercism_checksums.txt.sig, and where we can get the key?
Looking at the secrets that are used for the signing, I see a GPG private key being used that was last updated two years ago. Not sure why something has changed in the meantime.
I’ve had to re-do the GPG keys. The latest release (3.3.0), uses this public key:
https://keys.openpgp.org/search?q=5320FA2550E568C89E5DCC4C601BA43CCA09BFF9