Let’s say you have downloaded an installer, and before you run it, you’d like to prove it was packaged by a developer you trust. It’s not enough to simply go to the app’s official download page… maybe their server was hacked, maybe someone is rerouting your Internet traffic… If you really want to verify the source of this installer, PGP’s web of trust will help: Provided you have the developer’s public key and no reason to think his corresponding private key is compromised, then you can authenticate the file as his.
Since KeePass is a program to store all your passwords, it’s an installer we ought to verify! I’ll use KeepPass as an example:
- Here’s the official download page. The download buttons redirect to SourceForge – a popular file hosting service.
Now go to the file signatures page and download your file’s corresponding key. I’m going to install
KeePass-2.28-Setup.exe, so I downloaded
Take note of the developer’s public key. This is the public identity that will be embedded in files they sign. For KeePass, the developer’s name is ‘
Dominik Reichl‘ and his key fingerprint is ‘
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC‘.
His key looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.7 (MingW32)
[ blah blah blah blah ]
-----END PGP PUBLIC KEY BLOCK-----
… without the ‘blah blah blah’, of course!
Here we assume that anything signed by this key was signed by the man Dominik Reichl whom we trust for KeePass installers. If that’s confusing, see Wikipedia’s web of trust.
Encryption is not magic — it can’t tell you if someone forced Dominik to sign a malicious file. It can’t tell you that he keeps his key safe or that he is trustworthy to begin with. Encryption can only prove that this particular file was signed by someone who had access to “Dominik”‘s private key. I put his name in scare quotes because of course “Dominik” could be a pseudonym, or a group of people, etc., etc. This part of public key cryptography seems to confuse a lot of people. Anyway…
The last step is to verify the file. I will use Windows PowerShell:
PS C:\Users\techencoder\Downloads> gpg --verify .\KeePass-2.28-Setup.exe.asc .\KeePass-2.28-Setup.exe gpg: Signature made 10/07/14 11:11:53 Central Daylight Time using DSA key ID FEB7C7BC gpg: Good signature from "Dominik Reichl <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC PS C:\Users\techencoder\Downloads>
As you can see, I’ve yet to sign Dominik’s key.
WARNING: This key is not certified with a trusted signature!is just a reminder that his key is not part of my web of trust. Should I ever want to add his key, I would ask him to tell me the fingerprint in person, over the phone, or in some other offline communication. Then I can safely know that the key is owned by that person I talked to offline.