自从XcodeGhost之后下载软件之后也会先验证一下md5sum,现在发现后面还有gpg签名,于是也开始学习一下。
- gpg的文件在centos6.4上是默认安装的,其安装使用可以参照ruanyifeng的文章。
这里主要讲一下怎么对下载的文件进行验证。
首先当然是下载安装文件,这次下载的使用wso2的data service server 3.2.1,下载地址。
然后是打开gpg文件,如下图1所示,将这个文件也下载下来
- 在term下面执行
gpg --verify wso2dss-3.2.1.zip.asc
,可以得到如下的提示
gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
gpg: Can't check signature: No public key
- 原因是没有2B2458BF这个KEY ID的公钥,于是可以使用以下语句下载公钥
$ gpg --search-keys 2B2458BF
gpg: searching for "2B2458BF" from hkp server keys.gnupg.net
gpg: keyserver timed out
gpg: keyserver search failed: Keyserver error
- 发现错误,可能是端口的问题,参照此文的解答,使用以下命令下载公钥。
$ sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 2B2458BF
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 2B2458BF from hkp server keyserver.ubuntu.com
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 2B2458BF: public key "Anjana Fernando (LA_F) " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
- 再进行校验,就可以得到成功的信息。
$ sudo gpg --verify wso2dss-3.2.1.zip.asc
gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
gpg: Good signature from "Anjana Fernando (LA_F) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 56EA 3B61 4CC4 7875 A865 0858 8E1A ACF4 2B24 58BF