8

I began using GPG4Win/Kleopatra, the GNU Privacy Guard implementation for Windows. More recently I wanted to verify a download of Qubes OS, for which a guide is offered here. They describe a master public key (RSA 4096-bit) used to sign lesser keys, such as ones that sign particular versions of Qubes OS. I was able to verify my download using its detached signature hash signed by the correct lesser key. How would I verify the lesser key is signed by the master key (given no signature is offered for it)?

This question motivates another: How do signatures "usually" accompany the content? Does PGP, TLS, etc. simply concatenate the signature with the ciphertext or padded pre-image, or is there a need for two separate files/packets? Thank you very much in advance.

Polite Master
  • 253
  • 1
  • 2
  • 4
  • In conjunction with the answers below, this is also a useful reference: https://security.stackexchange.com/questions/141501/what-is-the-meaning-of-gnupgs-list-sigs-output – Craig Hicks May 01 '18 at 00:05

2 Answers2

14

Checking a key is signed

The short answer is that you use the command gpg --list-sig <key id>.

For example, I went to the site you listed above and downloaded the qubes release 2 signing key. I then imported that key into my local gpg keyring:

$ gpg --import qubes-release-2-signing-key.asc

which results in the following

pub   rsa4096/0A40E458 2012-11-15 [SC]
uid   [ unknown] Qubes OS Release 2 Signing Key

To check if the key has been signed, you can use the command gpg --list-sig <key id>.

In this case, we can see that the key ID is 0A40E458 from the output above:

$ gpg --list-sig 0A40E458
pub   rsa4096/0A40E458 2012-11-15 [SC]
uid         [ unknown] Qubes OS Release 2 Signing Key
sig 3        0A40E458 2012-11-15  Qubes OS Release 2 Signing Key
sig          36879494 2012-11-15  [User ID not found]

The last entry is the Qubes master key, but it is unknown as I don't have it on my keyring. If I then download the master key, and add it to the keyring: 

$ gpg2 --import ./qubes-master-signing-key.asc 
gpg: key 36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

I can verify again and see that the release key is correctly signed:

$ gpg2 --list-sig 0A40E458
pub   rsa4096/0A40E458 2012-11-15 [SC]
uid         [ unknown] Qubes OS Release 2 Signing Key
sig 3        0A40E458 2012-11-15  Qubes OS Release 2 Signing Key
sig          36879494 2012-11-15  Qubes Master Signing Key

Verifying signatures

When a file is signed using a gpg key, a separate signature file is created. With the qubes example, they release a .DIGESTS file. See the heading 'Verifying Digests' in the link you provided for more details on how to check such a digest.

Basically, what they have done is taken the file that is purported to come from them, and run a variety of hash algorithms against it. A hash function will take an input file or message, and output a unique fairly short hash string. This is cryptographically created in way that makes it very difficult or nearly impossible to find any other file that would produce the same output.

They then sign this hash string with their GPG key. Both the hash and the signature of that hash text are put inside the .DIGESTS file.

The important part to note with this process is that any change to the original file being verified will produce a completely different hash string. Therefore, when you run the verification command, what is happening on your local machine is that your system is creating it's own hash of the given file and checking that it matches the hash inside the signed text. If they both match, and the signature is verified as coming from the key you have already decided to trust, then you know that the owner of the key has 'signed' the version of the file that you have downloaded.

Dave Satch
  • 306
  • 2
  • 6
6

Proper verification of key signatures is performed with --check-signatures like so:

$ gpg --check-signatures
pub   rsa4096 2017-03-06 [SC]
      5817A43B283DE5A9181A522E1848792F9E2795E9
uid           [ unknown] Qubes OS Release 4 Signing Key
sig!3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key
sig!         DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key

A summary of the number of good/bad signatures will also be displayed at the end...

gpg: 2 good signatures

It seems a tiny detail, but the way gpg conveys important information about keys is unfortunately cryptic. The key signature isn't reported as good/correct unless the sig designator is immediately followed by an ! exclamation mark. A bad signature shows as a minus-sign. Using the "list" commands doesn't perform this verification (notice the missing symbols when --list-sig is used), which is what the question is about.

tasket
  • 171
  • 1
  • 4
  • " --check-sigs :: Same as --list-sigs, but the signatures are verified. Note that for performance reasons the revocation status of a signing key is not shown. This command has the same effect as using --list-keys with --with-sig-check." --- Now, how to check for revocation? The interface and documentation leave gaping security holes in an otherwise sound system. – Craig Hicks Apr 30 '18 at 23:53
  • 1
    BTW the argument should be "--check-sigs" – Craig Hicks Apr 30 '18 at 23:56