Verifying the Integrity of ISC Downloads using PGP / GPG
- Updated on 20 Apr 2018
- 2 minutes to read
What are all the .asc files in an ISC download directory for?
Those are ASCII-armored, detached PGP signature files. Each file contains a cryptographic checksum of the contents of its associated download, plus metadata demonstrating when the checksum was created and by whom, all of which is then encrypted under the private key half of a PGP key pair. Using the provided cryptographic signatures allows a person downloading ISC source or binaries to be confident that the contents of the downloaded file have not been tampered with.
How do I use them, then?
To verify the integrity of an ISC download using PGP (or GPG) you will need three separate items.
1.The public-key half of the ISC code-signing key (imported into your PGP (or GPG) keyring.) Ordinarily the ISC code-signing key can be found here. If the ISC website is not available, the key can also be found from public PGP keyservers under the identity "email@example.com" Once you have the public key half of the key pair, store it in a file (e.g. "KEYFILE") and import it using the PGP or GPG import option, e.g.: gpg --import KEYFILE
2.The signature (.asc) file containing the checksum data.
3.The download file whose accuracy is to be checked.
Now you are ready to check the integrity of the file, using the pgp or gpg command's "--verify" option. For the following example, the firstname.lastname@example.org code-signing key has been imported into my personal PGP key ring as described above and the download file bind-9.10.1-P1.tar.gz and the signature file bind-9.10.1-P1.tar.gz.sha512.asc have been downloaded and stored in my current working directory.
The syntax to be used is:
(name of PGP or GPG command) --verify (name of signature file) (name of file whose integrity is to be checked)
$ gpg --verify bind-9.10.1-P1.tar.gz.sha512.asc bind-9.10.1-P1.tar.gzgpg: Signature made Thu Nov 20 18:27:00 2014 AKST using RSA key ID 189CDBC5gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) email@example.com"
There may be other output from the pgp / gpg command as well.
PGP and GPG include a concept of signature trust. Depending on how the firstname.lastname@example.org public key has been marked in your key ring you may see additional output from the PGP / GPG command given above indicating that the key is not fully trusted.
If you are confident that you have the correct email@example.com public key, the important part to check for is the part saying that a good signaure was made using that key.
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.