Thursday, May 27, 2010

Securely Download Tomcat

My Goal - securely download the latest version of Tomcat from Apache’s website.

The "securely" part is the most troublesome and lead to the checksum discussion the other day. The Apache web site has two signatures PGP and MD5. As already noted, MD5 is considered compromised so to “securely” download the latest version, I need to verify the download via the PGP signature. I was able to mostly do this with one exception.

First I choose to download GPGWin4 2.0.2 - GNU’s PGP for windows from GNU's affiliated web site. So far, so good. I verified the download file was intact via the SHA-1 algorithm and installed the software.

A few notes:
  • I'm trusting that I went to the right web site
  • I'm trusting that the web site had the latest official GNU Win4 2.0.2. In other words, some hacker had not managed to breach their site, sign and place a tampered version of GNU's PGP in its place.
Enough said. I went back to the Apache web site and followed their instructions for verifying the PGP signatures.

I would recommend viewing their site, but to sum up what the said:
  1. Downloaded the PGP signature file. Should end with ".asc".
  2. From the command line, entered:
    3. gpg apache-tomcat-6.0.26-windows-x64.zip.asc

    Returned:

    gpg: Signature made 03/09/10 12:10:49 Eastern Standard Time using RSA key ID
    D3262722
    gpg: Can't check signature: No public key

  3. So the signature looks ok but there is no public key against which to validate it.
  4. Next step import the key. I did it the command line initially because I could not figure out how to use MIT's server at first (hint, follow directions and prefix key id with 0x, e.g. 0xD3262722).

    5. gpg --keyserver pgpkeys.mit.edu --recv-key D3262722

  5. Now I get the error that the signature is good but the key is not certified.

    6. WARNING: This key is not certified with a trusted signature!
    There is no indication that the signature belongs to the owner.

  6. Finally, I went into Kleopatra, my certificate manager, right-clicked the newly added certificate (Jean-Frederic Clere (Apache signing key)) and selected "Certify Certificate...". Here's where I did not do the verification I should have. I didn't really know that Jean-Frederic Clere exists and (if he does) he was an official Apache developer. Ideally I would meet with him in person with photo id(s) or at least verify in some way the key fingerprint of the signing key with him. Namely: Key fingerprint = B3F4 9CD3 B9BD 2996 DA90 F817 ED38 73F5 D326 2722.

  7. Despite skipping this crucial step, I think this was ok for demo purposes.

I was then able to run:
gpg apache-tomcat-6.0.26-windows-x64.zip.asc

And received the message:
gpg: Signature made 03/09/10 12:10:49 Eastern Standard Time using RSA key ID D3262722
gpg: Good signature from "Jean-Frederic Clere (Apache signing key) "
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)