Verifying the Integrity of ISC Downloads using PGP / GPG
What are all the .asc files in an ISC download directory for?
Those are ASCII-armored, detached PGP signature files. Each file contains a cryptographic checksum of the contents of its associated download, plus metadata demonstrating when the checksum was created and by whom, all of which is then encrypted under the private key half of a PGP key pair. Using the provided cryptographic signatures allows a person downloading ISC source or binaries to be confident that the contents of the downloaded file have not been tampered with.
How do I use them, then?
To verify the integrity of an ISC download using PGP (or GPG) you will need three separate items.
The PGP public key block containing the current ISC code-signing keys (imported into your PGP (or GPG) keyring.) The ISC code-signing key block can be found here. Once you have it, store it in a file (e.g. "KEYFILE") and import it using the PGP or GPG import option, e.g.: gpg --import KEYFILE.
The signature (.asc) file containing the checksum data.
The download file whose accuracy is to be checked.
Now you are ready to check the integrity of the file, using the PGP or GPG command's "--verify" option. For the following example, the PGP public key block containing the current ISC code-signing keys has been imported into a personal PGP key ring as described above and the download file
bind-9.18.15.tar.xz and the signature file
bind-9.18.15.tar.xz.asc have been downloaded and stored in a current working directory.
The syntax to be used is:
(name of PGP or GPG command) --verify (name of signature file) (name of file whose integrity is to be checked)
$ gpg --verify bind-9.18.15.tar.xz.asc bind-9.18.15.tar.xz gpg: Signature made Wed 10 May 2023 01:52:18 PM CEST gpg: using RSA key D99CCEAF879747014F038D63182E23579462EFAA gpg: Good signature from "Michal Nowak (Code-Signing Key) <email@example.com>" [full]
PGP and GPG include a concept of signature trust. Depending on how the code-signing public keys have been marked in your key ring, you may see additional output from the PGP / GPG command given above indicating that the key is not fully trusted.
If you are confident that you have the correct public key block imported, the important part to check for is the part saying that a good signature was made using that key.