Verifying exercism-cli with gpg

Hello!

Wanted to verify sha256 hashes with provided signature file.

Where do I get the public key for gpg verification?

The latest release (version 3.1.0) of the Exercism CLI is signed with Katrina’s key: 816A8B8E703E53110F1D0FBBE8761A9E46258B62.

I already had the key on my machine, but it looks like it’s available on keys.openpgp.org.

If we run this script:

#!/usr/bin/env bash
set -e

tmp_dir='exercism-cli-tmp'
mkdir -p "${tmp_dir}"
cd "${tmp_dir}"
url_base='https://github.com/exercism/cli/releases/download/v3.1.0'
echo "Downloading assets..."
curl -sSfLO "${url_base}/exercism-3.1.0-linux-x86_64.tar.gz"
curl -sSfLO "${url_base}/exercism_checksums.txt.sig"
curl -sSfLO "${url_base}/exercism_checksums.txt"
echo "Checking checksums..."
sha256sum -c --ignore-missing exercism_checksums.txt
echo "Checking signature..."
gpg --keyserver hkps://keys.openpgp.org --recv-keys 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg --verify --verbose exercism_checksums.txt.sig

The output is:

Downloading assets...
Checking checksums...
exercism-3.1.0-linux-x86_64.tar.gz: OK
Checking signature...
gpg: key E8761A9E46258B62: "Katrina Owen <katrina.owen@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: assuming signed data in 'exercism_checksums.txt'
gpg: Signature made Tue 04 Oct 2022 11:29:59 CEST
gpg:                using RSA key 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg: using pgp trust model
gpg: Good signature from "Katrina Owen <katrina.owen@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 816A 8B8E 703E 5311 0F1D  0FBB E876 1A9E 4625 8B62
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

Does that help?

I believe also available on github under githubs standard URL scheme.

1 Like

Thank you for the thorough reply!!

Though I have done it multiple times, it shows that without the specific instructions I am unable to do the whole verification and checksum checking thing.

Taken from your script:

sha256sum -c --ignore-missing exercism_checksums.txt
gpg --keyserver hkps://keys.openpgp.org --recv-keys 816A8B8E703E53110F1D0FBBE8761A9E46258B62
gpg --verify --verbose exercism_checksums.txt.sig

I personally prefer people being told what they need to enter instead of giving the the script they might not understand what it is doing or even not care. Other than that, it is a very nice script which handles everything from downloading the 3.1.0 version of the program (and temp folder creation, which is not necessary but still neat) to checking it’s integrity with checksum and testing if the checksums are created by the right people.

Probably I should suggest somewhere visible to Github repo owners that the verifying the signature and checksum checking should be always done.

It is a very good practice to do that - I think the download instructions should encourage it (with explanation, why this is necessary). At least for doing exercism locally on linux or on WSL in Windows.

Also thank you @kotp for linking the location of the key on GitHub. Wouldn’t be able to find it myself.

Always care about what scripts are doing that are given, just as you are caring about signed packages and checksums.

That said, it may be that the documentation has some room for improvement.

I am glad that that you found a solution, though.

1 Like