PGP TarBall File Signature Keys Verification

I am kind of new to this whole PGP TarBall File Signature Keys Verification thing. Not sure if this is the correct forum to post this question, so please move if necessary.

Here is my understanding.

1. There are a bunch of TarBall files with accompanying signatures on the web.
2. You download both of them.
3. You gpg the signature file to make sure it is valid.
4. If you don't have the key, you get it from pgpkeys.mit.edu. Always there, or other places?
5. You agree to trust a given email. How do I determine which emails I should trust?

Please see below for my implementation of the above steps. I commented out the Primary key fingerprint as I didn't know if it had something to do with me. Did I need to?

Now, assuming I am doing everything correct, how do I now deal with the actual TarBall and not just the signature file?

Thank you


[root@localhost temp]# wget http://www.openwall.com/phpass/phpass-0.3.tar.gz
....
[root@localhost temp]# wget http://www.openwall.com/phpass/phpass-0.3.tar.gz.sign
....
[root@localhost temp]# gpg phpass-0.3.tar.gz.sign
gpg: Signature made Thu 22 Apr 2010 01:44:05 AM PDT using RSA key ID 295029F1
gpg: Can't check signature: public key not found
[root@localhost temp]# gpg --keyserver pgpkeys.mit.edu --recv-key 295029F1
gpg: requesting key 295029F1 from hkp server pgpkeys.mit.edu
gpg: key 295029F1: public key "Openwall Project <signatures@openwall.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@localhost temp]# gpg phpass-0.3.tar.gz.sign
gpg: Signature made Thu 22 Apr 2010 01:44:05 AM PDT using RSA key ID 295029F1
gpg: Good signature from "Openwall Project <signatures@openwall.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
[root@localhost temp]# gpg --edit-key signatures@openwall.com trust
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.


pub 1024R/295029F1 created: 1999-09-13 expires: never usage: SCEA
trust: unknown validity: unknown
[ unknown] (1). Openwall Project <signatures@openwall.com>

pub 1024R/295029F1 created: 1999-09-13 expires: never usage: SCEA
trust: unknown validity: unknown
[ unknown] (1). Openwall Project <signatures@openwall.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub 1024R/295029F1 created: 1999-09-13 expires: never usage: SCEA
trust: ultimate validity: unknown
[ unknown] (1). Openwall Project <signatures@openwall.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> q
[root@localhost temp]# gpg phpass-0.3.tar.gz.sign
gpg: Signature made Thu 22 Apr 2010 01:44:05 AM PDT using RSA key ID 295029F1
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Openwall Project <signatures@openwall.com>"
[root@localhost temp]#

If this is the wrong forum to post this question, please advise.

> If you don't have the key, you get it from pgpkeys.mit.edu. Always there, or other places?
You can usually find lists of key servers.
Wikipedia

> You agree to trust a given email. How do I determine which emails I should trust?
In your dialog, I would have gone for 3 rather than 5.
5 is like close family members, or friends from childhood.


> I commented out the Primary key fingerprint as I didn't know if it had something to do with me.
> Did I need to?
Is it this one?
fingerprints
The full public key for openwall is 128 bytes long (1024 bits). The fingerprint is a shorter condensed version of the public key which is a lot easier to "eyeball" compare with independent sources (such as the web page).

But FWIW, it's a good habit to comment out anything looking like keys when posting on forums if you're at all unsure about what's going on.



> how do I now deal with the actual TarBall and not just the signature file?
Try
tar xf phpass-0.3.tar.gz
This should extract everything, probably into a directory called phpass-0.3.

tar tf phpass-0.3.tar.gz
will give you a list of all the contents.

And --help will give you all the things tar can do.

Thank you salem,

Are there any bad lists of key servers which are corrupt/misleading/evil/etc? If so, how would I know that they are bad?

Good definition of an email one should trust. One of the tutorials I was reading said select 5, and I thought "your not my brother or childhood friend!"

Your absolutely correct regarding the Primary key fingerprint. I suspected it, but erred on caution.

As far as dealing with the actual TarBall, yes I see how that will extract the files, but how does the signature relate to it. If there wasn't a signature at all, you would open the file the same way. Why is it now okay?

Lastly, does my general understanding seem correct? It seems that way to me, but I often find I am thinking totally different than what I should!

Thank you for your help!

> Are there any bad lists of key servers which are corrupt/misleading/evil/etc? If so, how would I know that they are bad?
When you verify the signature on your machine, you're basically establishing that the signature on the file and the public key on the key server are consistent. If the signature check fails, one (or the other) is wrong, and you should proceed with due caution.

> If there wasn't a signature at all, you would open the file the same way. Why is it now okay?
Think of the signature as a nice pretty hologram saying "genuine product". All it is telling you is that what you have is what the author intended you to have (ie, it hasn't been tampered with in transit).

You have a genuine box, but it doesn't tell you whether it is a quality box, or a box that does what you want it to.

A signed script containing "rm -rf /" is just as dangerous as one without a signature.

So, regardless of whether there is a signature saying "genuine" box, you need to exercise your own due dilligence to examine the box to make sure it's what you really wanted.

All .tar and .tar.gz files are extracted in the same way, regardless of whether you have a signature file as well. The signature is there just to tell you that the file is what the author intended you to have.

Ah, makes sense.

The signature is just..... a signature.


I had first thought that the signature included some sort of hash of the TarBull so one would know the TarBull was the same one that the author signed.