Checking sources

From OWASP Live CD 2008

Jump to: navigation, search

If the provider of the source code gives you the option, utilize as many of these as possible to maximize the chance that you truly have pristine source:

  • md5sum

Many source packages will also have MD5 sums either displayed on the download pages or provided in small text files. After you download a source package, use the md5sum command to generate a new MD5 sum to compare to the one provided by the source maintainer. This will let you know that the source has not been altered during download and is the same as the source used by the source maintainer to generate their MD5 sum: 

 $ md5sum subversion-1.5.2.tar.bz2
8321d0e1964846090f0174cb6bb18838  subversion-1.5.2.tar.bz2

Compare the output of the command with the MD5 sum provided by the source maintainer such as: 

 $ md5sum subversion-1.5.2.tar.bz2 >> md5sum-subversion-1.5.2.tar.bz2
 $ cat md5sum-subversion-1.5.2.tar.bz2cat
8321d0e1964846090f0174cb6bb18838  subversion-1.5.2.tar.bz2
8321d0e1964846090f0174cb6bb18838
  • gpg --verify

Gnu Privacy Guard (an Open PGP implementation) allows you to verify that the source with a digital signature. The signature can be used to prove that a file is the same as the one provided by the source maintainer. You will need to download both the source and the signature file. Typically the signature files have a .asc extension. The gpg command can then be used to verify that signature on the file matches that of the source maintainer. 

$ gpg --verify subversion-1.5.2.tar.bz2.asc subversion-1.5.2.tar.bz2
gpg: Signature made Wed 27 Aug 2008 03:51:17 PM CDT using DSA key ID 4E24517C
gpg: Good signature from "Hyrum K. Wright (Personal) <hyrum@hyrumwright.org>"
gpg:                 aka "Hyrum K. Wright (UT) <hyrum_wright@mail.utexas.edu>"
gpg:                 aka "[jpeg image of size 4854]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3324 80DA 0F8C A37D AEE6  D084 0B03 AE6E 4E24 517C

BTW, the warning just means that you haven't chosen to trust the key. It doesn't mean that something nefarious has happened to the source code.

Many times you'll get a bunch of output telling you it can't find the public key(s) in the signature file like: 

 $ gpg --verify subversion-1.5.2.tar.bz2.asc subversion-1.5.2.tar.bz2
gpg: Signature made Wed 27 Aug 2008 03:51:17 PM CDT using DSA key ID 4E24517C
gpg: Can't check signature: public key not found

When this happens, you'll need to import the public key(s) for the source maintainer(s). That is covered next.

  • gpg --recv-keys

Typically, public keys are kept on a key server. You can use gpg to grab the public key from a keyserver and add it to your keyring of public keys. You use the ID numbers as shown above to designate which public key you want to obtain from the key server such as: 

 $ gpg --keyserver wwwkeys.pgp.net --recv-keys 4E24517C
gpg: requesting key 4E24517C from hkp server wwwkeys.pgp.net
gpg: key 4E24517C: public key "Hyrum K. Wright (Personal) <hyrum@hyrumwright.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1<pre>

Now that you have the public key of the source maintainer, you can use gpg --verify as above to check the signature file against the source code.
Retrieved from "http://mtesauro.com/livecd/index.php?title=Checking_sources"
Personal tools