Code signing.

A client is getting ready for NIAP certification. Part of this is verifying an ISO signature.

The steps are

  1. Download SHA256SUMS and SHA256SUMS.gpg
  2. Get the key used for the signature
  3. Verify the signature
  4. Check the ISO with sha256sum

Download sums and signature (SHA256SUMS and SHA256SUMS.gpg) from a mirror and save in a suitable working directory.

Find out what key was used to issue the signature:

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

gpg: Signature made Mon 09 Dec 2019 03:54:15 PM EST
gpg:                using RSA key 1A5D6C4C7DB87C81
gpg: Good signature from "UEC Image Automatic Signing Key [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D2EB 4462 6FDD C30B 513D  5BB7 1A5D 6C4C 7DB8 7C81

Obtain the public key from the key server

gpg --keyid-format long --keyserver hkp:// --recv-keys 1A5D6C4C7DB87C81


gpg: key 1A5D6C4C7DB87C81: 2 signatures not checked due to missing keys
gpg: key 1A5D6C4C7DB87C81: "UEC Image Automatic Signing Key [email protected]" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Verify the key fingerprints:

gpg --keyid-format long --list-keys --with-fingerprint 1A5D6C4C7DB87C81


pub   rsa4096/1A5D6C4C7DB87C81 2009-09-15 [SC]
      Key fingerprint = D2EB 4462 6FDD C30B 513D  5BB7 1A5D 6C4C 7DB8 7C81
uid                 [ unknown] UEC Image Automatic Signing Key [email protected]

Verify signature

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

Check the ISO and grep through sums automatically

sha256sum -c <(grep <iso filename> SHA256SUMS)


<iso filename>: OK

2 thoughts on “Code signing.

Comments are closed.