I'm trying to learn the steps to securely downloaded software from the web. I find this rather tedious and difficult. Does anyone really do this? I'm not sure I am doing this correctly but here are the steps I took for Apache Ant.
1. Went to the apache web site: http://ant.apache.org/
Note: As an extra precaution, I google it first rather than type the web site in the url.
2. I clicked the link to go to the:
http://ant.apache.org/bindownload.cgi page.
3. I scrolled down a bit and found an entry for:
.zip
archive:
apache-ant-1.8.1-bin.zip [
PGP] [
SHA1] [
SHA512] [
MD5]
I downloaded this one as I am using Windows.
4. I verified the SHA1 and MD5 signatures via the previously downloaded tools. However, as noted, MD5 is compromised and SHA1, I believe, is not as secure as I would like. A failure indicates a problem but a success doesn't tell me enough to feel confident.
5. I downloaded the PGP signature, right clicked the "[PGP]" link and selected "Save Link As...".
6. Further down the page, there is a reference to a KEYS file. I right clicked the "KEYS" link and selected "Save Link As...". For some reason Windows saved it as a text file. However, I removed the .txt extension.
7. I then ran, per the Ant web site:
gpg --import KEYS
This imported a number of keys - 16 or so. I opened Kleopatra and could see them under Other Certificates.
8. I then ran, per the Ant web site:
C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer)
"
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB 265B 4C63
9. Things look good but the WARNING bothers me. So I went to MIT's PGP web site: http://pgp.mit.edu/.
10. I checked the "Show PGP fingerprints for key" checkbox. I then entered in the Search String field the certificate key ID prefixed by 0x and clicked "Do the search!": 0x265B4C63
11. I got back:
pub 1024D/265B4C63 2003-08-18 Antoine Levy-Lambert (Apache Ant Committer)
Antoine Levy-Lambert (Apache Ant Committer)
Fingerprint=06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB 265B 4C63
This made me feel better, especially when I matched the Fingerprint.
12. I then went to Kleopatra, clicked the "Other Certificates" tab, I found the certificate for Antoine Levy-Lambert (Apache Ant Commissioner) and right clicked it. The top line had a option to "Certify Certificate...". I selected that option.
13. When prompted, I checked both boxes for the the IDs I wished to certify. I then clicked the "Next" button.
14. For step 2, I selected "Certify only for myself". I didn't actually meet or even talk to Antoine so I thought this was best. I then clicked "Certify".
15. I was prompted for my paraphrase which I am glad I remembered. I entered it and clicked "Ok".
16. The message, Certification successful displayed. I clicked 'Finish'.
17. I re-ran the command I had run previously on this time I didn't get a warning. Yea
C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "
C:\ant>
18. I continued to unzip and install Apache Ant.