PGP, GnuPG - WindyHana's Solanara

목차

PGP

GnuPG

다운로드한 파일에 대해 위/변조 여부 알아내기

파일의 위/변조를 알아내려면 파일의 MD5 또는 SHA1 같은 해시값을 비교해보는 방법과 GnuPG를 이용해 인증을 확인하는 방법이 있다. MD5에 대한 더 자세한 사항은 윈디하나의 솔라나라: Message Digest, FingerPrint를 참조한다. 여기서는 Apache Software Foundation의 HTTPD를 다운로드 하면서 서명파일도 같이 받아 서명을 확인하는 예를 들었다.
root@wl ~ # wget http://apache.mirror.cdnetworks.com/httpd/httpd-2.2.14.tar.gz
root@wl ~ # wget http://www.apache.org/dist/httpd/httpd-2.2.14.tar.gz.asc
root@wl ~ # wget http://www.apache.org/dist/httpd/httpd-2.2.14.tar.gz.md5
root@wl ~ # wget http://www.apache.org/dist/httpd/httpd-2.2.14.tar.gz.sha1
root@wl ~ # digest -a md5 httpd-2.2.14.tar.gz
2c1e3c7ba00bcaa0163da7b3e66aaa1e
root@wl ~ # cat httpd-2.2.14.tar.gz.md5
MD5 (httpd-2.2.14.tar.gz) = 2c1e3c7ba00bcaa0163da7b3e66aaa1e
root@wl ~ # digest -a sha1 httpd-2.2.14.tar.gz
e6e20b3fc58a57a5116e036e31bf97d409db7cfa
root@wl ~ # cat httpd-2.2.14.tar.gz.sha1
SHA1(httpd-2.2.14.tar.gz)= e6e20b3fc58a57a5116e036e31bf97d409db7cfa
root@wl ~ #
GnuPG를 이용한 방법이다. 저자(파일을 만든 사람)의 공개키를 받아 임포트 한 후 인증검사를 하면 절차는 완료된다.
root@wl ~ # wget http://www.apache.org/dist/httpd/KEYS
root@wl ~ # gpg --import KEYS
root@wl ~ # gpg --verify httpd-2.2.14.tar.gz.asc
gpg: Signature made 2009년 9월 24일 목요일 오전 08시 30분  using DSA key ID 751D7F27
gpg: Good signature from "Graham Leggett <minfrin@apache.org>"
gpg:                 aka "Graham Leggett <minfrin@sharp.fm>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB13 8C6A F0FC 6910 01B1  6D93 344A 844D 751D 7F27
root@wl ~ # 
여기까지 하면 httpd-2.2.14.tar.gz은 Graham Leggett이 인증한 정상적인 파일이라 보면 된다. WARNING은 [Graham Leggett이 과연 믿을만한 사람인가?]라는 의미다. 이를 해결하려면 아래와 같이 [Graham Leggett]을 trust상태로 바꿔줘야 한다.
root@wl ~ # gpg --list-keys "Graham Leggett"
pub   1024D/751D7F27 1999-08-19
uid                  Graham Leggett <minfrin@apache.org>
uid                  Graham Leggett <minfrin@sharp.fm>
sub   2048g/18F4AD9E 1999-08-19

root@wl ~ # gpg --edit-key 751D7F27
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  1024D/751D7F27  created: 1999-08-19  expires: never       usage: SCA
                     trust: unknown       validity: unknown
sub  2048g/18F4AD9E  created: 1999-08-19  expires: never       usage: E
[ unknown] (1). Graham Leggett <minfrin@apache.org>
[ unknown] (2)  Graham Leggett <minfrin@sharp.fm>

Command> sign
Really sign all user IDs? (y/N) y

pub  1024D/751D7F27  created: 1999-08-19  expires: never       usage: SCA
                     trust: unknown       validity: unknown
 Primary key fingerprint: EB13 8C6A F0FC 6910 01B1  6D93 344A 844D 751D 7F27

     Graham Leggett <minfrin@apache.org>
     Graham Leggett <minfrin@sharp.fm>

Are you sure that you want to sign this key with your
key "WindyHana (WindyHaha's PGP Key) <windyhana@solanara.net>" (FB267B1A)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "WindyHana (WindyHana's PGP Key) <windyhana@solanara.net>"
2048-bit RSA key, ID B0885DB9, created 2009-10-29

Enter passphrase:

Command> trust
pub  1024D/751D7F27  created: 1999-08-19  expires: never       usage: SCA
                     trust: unknown       validity: unknown
sub  2048g/18F4AD9E  created: 1999-08-19  expires: never       usage: E
[ unknown] (1). Graham Leggett <minfrin@apache.org>
[ unknown] (2)  Graham Leggett <minfrin@sharp.fm>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  1024D/751D7F27  created: 1999-08-19  expires: never       usage: SCA
                     trust: ultimate      validity: unknown
sub  2048g/18F4AD9E  created: 1999-08-19  expires: never       usage: E
[ unknown] (1). Graham Leggett <minfrin@apache.org>
[ unknown] (2)  Graham Leggett <minfrin@sharp.fm>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> save
root@wl ~ # gpg --verify httpd-2.2.14.tar.gz.asc
gpg: Signature made 2009년 9월 24일 목요일 오전 08시 30분  using DSA key ID 751D7F27
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   6  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Graham Leggett <minfrin@apache.org>"
gpg:                 aka "Graham Leggett <minfrin@sharp.fm>"
root@wl ~ #
RSS ATOM XHTML 1.0 CSS3