Verifying the Integrity of ISC Downloads using PGP / GPG
What are all the .asc files in an ISC download directory for?
Those are ASCII-armored, detached PGP signature files. Each file contains a cryptographic checksum of the contents of its associated download, plus metadata demonstrating when the checksum was created and by whom, all of which is then encrypted under the private key half of a PGP key pair. Using the provided cryptographic signatures allows a person downloading ISC source or binaries to be confident that the contents of the downloaded file have not been tampered with.
How do I use them, then?
To verify the integrity of an ISC download using PGP (or GPG) you will need three separate items.
The public-key half of the ISC code-signing key (imported into your PGP (or GPG) keyring.) Ordinarily the ISC code-signing key can be found here. If the ISC website is not available, the key can also be found from public PGP keyservers under the identity "email@example.com". Once you have the public key half of the key pair, store it in a file (e.g. "KEYFILE") and import it using the PGP or GPG import option, e.g.: gpg --import KEYFILE.
The signature (.asc) file containing the checksum data.
The download file whose accuracy is to be checked.
Now you are ready to check the integrity of the file, using the PGP or GPG command's "--verify" option. For the following example, the firstname.lastname@example.org code-signing key has been imported into a personal PGP key ring as described above and the download file
bind-9.16.13.tar.xz and the signature file
bind-9.16.13.tar.xz.sha512.asc have been downloaded and stored in a current working directory.
The syntax to be used is:
(name of PGP or GPG command) --verify (name of signature file) (name of file whose integrity is to be checked)
$ gpg --verify bind-9.16.13.tar.xz.sha512.asc bind-9.16.13.tar.xz gpg: Signature made Tue 16 Mar 2021 08:03:21 PM CET using RSA key ID 5970811F gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2021-2022) <email@example.com>"
If you are confident that you have the correct firstname.lastname@example.org public key, the important part to check for is the part saying that a good signature was made using that key.)