Verifying the Integrity of ISC Downloads using PGP / GPG
  • Updated on 05 Oct 2018
  • 2 minutes to read
  • Contributors
  • Print
  • Share
  • Dark
    Light

Verifying the Integrity of ISC Downloads using PGP / GPG

  • Print
  • Share
  • Dark
    Light

Question:

What are all the .asc files in an ISC download directory for?

Answer:

Those are ASCII-armored, detached PGP signature files. Each file contains a cryptographic checksum of the contents of its associated download, plus metadata demonstrating when the checksum was created and by whom, all of which is then encrypted under the private key half of a PGP key pair. Using the provided cryptographic signatures allows a person downloading ISC source or binaries to be confident that the contents of the downloaded file have not been tampered with.

Question:

How do I use them, then?

Answer:

To verify the integrity of an ISC download using PGP (or GPG) you will need three separate items.

  1. The public-key half of the ISC code-signing key (imported into your PGP (or GPG) keyring.)  Ordinarily the ISC code-signing key can be found here. If the ISC website is not available, the key can also be found from public PGP keyservers under the identity "codesign@isc.org". Once you have the public key half of the key pair, store it in a file (e.g. "KEYFILE") and import it using the PGP or GPG import option, e.g.:  gpg --import KEYFILE.

  2. The signature (.asc) file containing the checksum data.

  3. The download file whose accuracy is to be checked.

Now you are ready to check the integrity of the file, using the PGP or GPG command's "--verify" option. For the following example, the codesign@isc.org code-signing key has been imported into a personal PGP key ring as described above and the download file bind-9.10.1-P1.tar.gz and the signature file bind-9.10.1-P1.tar.gz.sha512.asc have been downloaded and stored in a current working directory.

The syntax to be used is:

(name of PGP or GPG command) --verify (name of signature file) (name of file whose integrity is to be checked)

For example:

$ gpg --verify bind-9.10.1-P1.tar.gz.sha512.asc  bind-9.10.1-P1.tar.gz
gpg: Signature made Thu Nov 20 18:27:00 2014 AKST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <codesign@isc.org>"

There may be other output from the pgp / gpg command as well
PGP and GPG include a concept of signature trust. Depending on how the codesign@isc.org public key has been marked in your key ring, you may see additional output from the PGP / GPG command given above indicating that the key is not fully trusted.

If you are confident that you have the correct codesign@isc.org public key, the important part to check for is the part saying that a good signature was made using that key.

Was this article helpful?