GPG: the Best Free Crypto You Aren't Using, Part I of II

An introduction to the underappreciated, 100% free utility you didn't know you needed (but do)--GnuPG.
Obtaining, Compiling and Installing GnuPG

GnuPG is, as I mentioned at the beginning, now a standard package in most Linux distributions. As is true of all security software, it's particularly important that you keep current, so even if your distribution includes gpg you'll want to check http://www.gnupg.org/ from time to time so you know when new versions are released.

Naturally, this web site is where you can also obtain the latest source code release of GnuPG. Should you need or wish to build GnuPG from source, simply download the tarball to the directory of your choice (/usr/src is good), and execute the commands below:

cd /usr/src
tar -xzvf gnupg-1.0.6.tar.gz
cd gnupg-1.0.6
./configure
make
make check
make install

Note that your tarball's name may be different; as of this writing GnuPG v1.0.6 was current, but by the time you read this it may not be. The same applies to the directory extracted from the tarball.

Note also that the make check command is optional and somewhat time consuming, but I think it's useful: it prints out some interesting information about supported encryption algorithms and runs a battery of tests that let you know immediately whether gpg built properly. If any of these tests fail, there's no point in running make install until you've fixed the problem. In the unlikely event of a failed test, refer to the files INSTALL and README for clues as to why.

Should gpg Be SetUID=Root?

You may be aware that in general, running programs with their SUID (set user ID) bit set is to be avoided. The SUID bit, which can be set for each file using the chmod command, causes an executable program to run with its owner's privileges regardless of who runs it.

For example, if a program has an s instead of an x in the user portion of its file permissions (as displayed by s -l), and if that program is owned by root, then any time that program is executed it will have the same rights on the system as root; it will be able to do all the things root can do.

Sometimes programs are installed with this bit needlessly set and with ownership assigned to root. This, however, is not one of those cases. You really should run gpg SETUID (SETUID=root, since root owns gpg) in order to mitigate the risk of a hostile user reading memory containing a gpg private key or its passphrase.

After make install finishes, I recommend that you set this bit with the following command:

chmod u+s /usr/bin/gpg
Quick-and-Dirty GnuPG: Verifying a File Signature

After you've installed gpg (whether from source as described above or from your Linux installation media), you're ready to create a personal key pair and start building your own little corner of the Web of Trust. But I've already reached the end of this month's column, so instead let's do something that doesn't require us to have a key pair of our own: verifying a signature created by someone else.

As I mentioned earlier, digitally signing a software package has become a popular means of providing end users with a means of verifying that the software they download is the same software its developer put on-line.

The command to verify a detached signature (a PGP signature can either be attached to the file it was created for, or it may be stored separately in its own file) is gpgv. If we invoke this command on a signature but don't have a copy of the signer's public key, gpgv will return an error. In Listing 1 we see a session in which this occurs.

Listing 1. Sample Signature-Verification Session

Let's dissect Listing 1. There were three commands invoked:

gpgv gpa-0.4.1.tar.gz.sig
gpg --keyserver pgp.mit.edu --recv-keys 621CC013
gpgv --keyring pubring.gpg gpa-0.4.1.tar.gz.sig

The first time I ran gpgv (which you may recall is a stripped-down version of the gpg command used for verifying signatures) I simply supplied the name of the detached signature I wished to verify. Had I had the appropriate public key on gpgv's keyring, $HOME/.gnupg/trustedkeys.gpg, this command would have succeeded, but I didn't, and it didn't.

In the second command, therefore, I ran the regular gpg command with the --recv-keys directive followed by the ID of the key I had been told by gpgv had been used to create the signature. I also specified that gpg should look for this key on the keyserver pgp.mit.edu. The key was there, so this command succeeded.

In the third command, I realized I'd just downloaded the key to my default keyring, $HOME/.gnupg/pubring.gpg, so I used the gpgv's --keyring parameter when I reran it. And this time it worked!

There's only one thing I left out in the example, of course, and that was verifying that the key I took the trouble to download was actually from its alleged owner, Werner Koch. And I did do this—it took all of 20 seconds to do a search on www.google.com for “621CC013 werner koch” that turned up a number of mailing-list postings and web sites on which Werner had included this key ID in his e-mail signature.

Were someone to succeed in hacking the web server from which I downloaded, replacing the file with a Trojan horse or virus and a signature created with a bogus key, and then posting the bogus key on pgp.mit.edu, their skulduggery would be easily detectable by a quick web search like the one I did. I doubt very much that even the most intrepid evildoer would succeed in removing or altering all web sites, Usenet archives, etc., linking his or her victim's name to keys other than the bogus one. So you see, the Web of Trust can work, provided one bothers to do a little follow-up now and then.

I'm already out of space for this month, but there are plenty more useful things to do with GnuPG that we'll discuss in-depth next time. I hope you won't wait until then to try them out!

Resources

Mick Bauer (mick@visi.com) is a network security consultant in the Twin Cities area. He's been a Linux devotee since 1995 and an OpenBSD zealot since 1997, and he enjoys getting these cutting-edge OSes to run on obsolete junk.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

gnupgp

Anonymous's picture

werner koch did not soley write the code...

Link to part II

Anonymous's picture

The article is continued in the second part,
GPG: the Best Free Crypto You Aren't Using, Part II of II

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState