Digital Signatures

Using Signatures to Verify Downloaded Files

I have changed my signature key, the new ID is 7194FF94!

A backdoor in Irssi reminded me of the need for signed files. Obviously somebody succeeded in replacing the source tarballs on the main site with a tarball that contained a backdoor. For more information have a look at the advisory page.

This could have been easily prevented if the tarballs would have been signed. Well, it's to late now, but we can learn from and and thus all downloads from Penguin-Breeder.Org will be signed from now on.

Using Signatures

I'll use two different signatures for files, the one is called MD5 which is short for message digest number five and the other is called a digital signature.

A regular download link on Penguin-Breeder.Org looks like this:

File Size Last modified Signatures 210B 2002-08-27 16:30 [MD5] [SIG]

You might have already noticed the two new fields "MD5" and "SIG". The first is a link to a file with extension ".md5". This file contains the so-called md5 sum of the download file. Use the utility md5sum to verify the checksum:

        $ md5sum -c OK

If you get another output, the file was corrupted during download or the file was maliciously altered.

The second signature is a so-called digital signature. I signed all files with my private GnuPG key. You can verify this signature with my public key, which is available from most public keyservers (the key-id is 7194FF94), or copy it from here:

      Version: GnuPG v1.4.6 (OpenBSD)
      -----END PGP PUBLIC KEY BLOCK-----

To verify the signature you need to install GnuPG and issue the following commands:

        $ gpg --import pubkey.asc
        gpg: key 7194FF94: public key imported
        gpg: Total number processed: 1
        gpg:               imported: 1
        $ gpg --verify
        gpg: Signature made Sun 24 Jun 2007 02:34:33 PM CEST using DSA key ID 7194FF94
        gpg: Good signature from "Jochen Eisinger (c0ffee) <>"
        gpg: checking the trustdb
        gpg: no ultimately trusted keys found
        gpg: WARNING: This key is not certified with a trusted signature!
        gpg:          There is no indication that the signature belongs to the owner.
        Primary key fingerprint: 1156 D13B C46C 26C5 5C54  9AB9 B578 E004 7194 FF94

The date when the signatures was made may differ in your output.

How Secure are these Signatures?

The MD5 files are just checksums, so anybody could easily regenerate them for altered files. These files are mainly usefull for me to check the files on the server against my local copies quickly.

The digital signatures should be pretty safe. If somebody manages to spoof them he or she has surely better to do than faking my signatures... Just make sure the key id is 7194FF94. To help you remeber this id, it's in the bottom line on every page here.

Why can't I send you encrypted mails?

Because this is a signature key. DSA stands for digital signature algorithm. I can sign stuff with this key, you can verify my signature that's it. No encryption possible.