Monday, September 6, 2010

Verifying the Integrity of Ant

I'm trying to learn the steps to securely downloaded software from the web. I find this rather tedious and difficult. Does anyone really do this? I'm not sure I am doing this correctly but here are the steps I took for Apache Ant.

1. Went to the apache web site: http://ant.apache.org/

Note: As an extra precaution, I google it first rather than type the web site in the url.

2. I clicked the link to go to the: http://ant.apache.org/bindownload.cgi page.

3. I scrolled down a bit and found an entry for:

.zip archive: apache-ant-1.8.1-bin.zip [PGP] [SHA1] [SHA512] [MD5]

I downloaded this one as I am using Windows.

4. I verified the SHA1 and MD5 signatures via the previously downloaded tools. However, as noted, MD5 is compromised and SHA1, I believe, is not as secure as I would like. A failure indicates a problem but a success doesn't tell me enough to feel confident.

5. I downloaded the PGP signature, right clicked the "[PGP]" link and selected "Save Link As...".

6. Further down the page, there is a reference to a KEYS file. I right clicked the "KEYS" link and selected "Save Link As...". For some reason Windows saved it as a text file. However, I removed the .txt extension.

7. I then ran, per the Ant web site: gpg --import KEYS
This imported a number of keys - 16 or so. I opened Kleopatra and could see them under Other Certificates.

8. I then ran, per the Ant web site:
C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB 265B 4C63

9. Things look good but the WARNING bothers me. So I went to MIT's PGP web site: http://pgp.mit.edu/.

10. I checked the "Show PGP fingerprints for key" checkbox. I then entered in the Search String field the certificate key ID prefixed by 0x and clicked "Do the search!": 0x265B4C63

11. I got back:
pub  1024D/265B4C63 2003-08-18 Antoine Levy-Lambert (Apache Ant Committer) 
                             Antoine Levy-Lambert (Apache Ant Committer) 
 Fingerprint=06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63
This made me feel better, especially when I matched the Fingerprint.

12. I then went to Kleopatra, clicked the "Other Certificates" tab, I found the certificate for Antoine Levy-Lambert (Apache Ant Commissioner) and right clicked it. The top line had a option to "Certify Certificate...". I selected that option.

13. When prompted, I checked both boxes for the the IDs I wished to certify. I then clicked the "Next" button.

14. For step 2, I selected "Certify only for myself". I didn't actually meet or even talk to Antoine so I thought this was best. I then clicked "Certify".

15. I was prompted for my paraphrase which I am glad I remembered. I entered it and clicked "Ok".

16. The message, Certification successful displayed. I clicked 'Finish'.

17. I re-ran the command I had run previously on this time I didn't get a warning. Yea

C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "

C:\ant>

18. I continued to unzip and install Apache Ant.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)