Monday, September 6, 2010

Installing Ant on Windows

Installing ant is pretty straight forward.

A few items of note:
1. Make sure the JDK is installed.
C:\ant>java -version
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)

2. Make sure that JAVA_HOME is set.
C:\ant>echo %JAVA_HOME%
C:\Program Files\Java\jdk1.6.0_20

3. Make sure that ANT_HOME is set.
C:\ant>echo %ANT_HOME%
C:\ant\apache-ant-1.8.1

4. Make sure ant is in the path.
C:\ant>ant -version
Apache Ant version 1.8.1 compiled on April 30 2010

Ready to roll...
Posted by at No comments:

Verifying the Integrity of Ant

I'm trying to learn the steps to securely downloaded software from the web. I find this rather tedious and difficult. Does anyone really do this? I'm not sure I am doing this correctly but here are the steps I took for Apache Ant.

1. Went to the apache web site: http://ant.apache.org/

Note: As an extra precaution, I google it first rather than type the web site in the url.

2. I clicked the link to go to the: http://ant.apache.org/bindownload.cgi page.

3. I scrolled down a bit and found an entry for:

.zip archive: apache-ant-1.8.1-bin.zip [PGP] [SHA1] [SHA512] [MD5]

I downloaded this one as I am using Windows.

4. I verified the SHA1 and MD5 signatures via the previously downloaded tools. However, as noted, MD5 is compromised and SHA1, I believe, is not as secure as I would like. A failure indicates a problem but a success doesn't tell me enough to feel confident.

5. I downloaded the PGP signature, right clicked the "[PGP]" link and selected "Save Link As...".

6. Further down the page, there is a reference to a KEYS file. I right clicked the "KEYS" link and selected "Save Link As...". For some reason Windows saved it as a text file. However, I removed the .txt extension.

7. I then ran, per the Ant web site: gpg --import KEYS
This imported a number of keys - 16 or so. I opened Kleopatra and could see them under Other Certificates.

8. I then ran, per the Ant web site:
C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 06A2 28AA B83A 18A8 DF7B 84B0 8614 D6AB 265B 4C63

9. Things look good but the WARNING bothers me. So I went to MIT's PGP web site: http://pgp.mit.edu/.

10. I checked the "Show PGP fingerprints for key" checkbox. I then entered in the Search String field the certificate key ID prefixed by 0x and clicked "Do the search!": 0x265B4C63

11. I got back:
pub  1024D/265B4C63 2003-08-18 Antoine Levy-Lambert (Apache Ant Committer) 
                             Antoine Levy-Lambert (Apache Ant Committer) 
 Fingerprint=06A2 28AA B83A 18A8 DF7B  84B0 8614 D6AB 265B 4C63
This made me feel better, especially when I matched the Fingerprint.

12. I then went to Kleopatra, clicked the "Other Certificates" tab, I found the certificate for Antoine Levy-Lambert (Apache Ant Commissioner) and right clicked it. The top line had a option to "Certify Certificate...". I selected that option.

13. When prompted, I checked both boxes for the the IDs I wished to certify. I then clicked the "Next" button.

14. For step 2, I selected "Certify only for myself". I didn't actually meet or even talk to Antoine so I thought this was best. I then clicked "Certify".

15. I was prompted for my paraphrase which I am glad I remembered. I entered it and clicked "Ok".

16. The message, Certification successful displayed. I clicked 'Finish'.

17. I re-ran the command I had run previously on this time I didn't get a warning. Yea

C:\ant>gpg --verify apache-ant-1.8.1-bin.zip.asc
gpg: Signature made 05/01/10 00:17:25 Eastern Daylight Time using DSA key ID 265B4C63
gpg: Good signature from "Antoine Levy-Lambert (Apache Ant Committer) "
gpg: aka "Antoine Levy-Lambert (Apache Ant Committer) "

C:\ant>

18. I continued to unzip and install Apache Ant.
Posted by at No comments:

Thursday, May 27, 2010

Securely Download Tomcat

My Goal - securely download the latest version of Tomcat from Apache’s website.

The "securely" part is the most troublesome and lead to the checksum discussion the other day. The Apache web site has two signatures PGP and MD5. As already noted, MD5 is considered compromised so to “securely” download the latest version, I need to verify the download via the PGP signature. I was able to mostly do this with one exception.

First I choose to download GPGWin4 2.0.2 - GNU’s PGP for windows from GNU's affiliated web site. So far, so good. I verified the download file was intact via the SHA-1 algorithm and installed the software.

A few notes:
  • I'm trusting that I went to the right web site
  • I'm trusting that the web site had the latest official GNU Win4 2.0.2. In other words, some hacker had not managed to breach their site, sign and place a tampered version of GNU's PGP in its place.
Enough said. I went back to the Apache web site and followed their instructions for verifying the PGP signatures.

I would recommend viewing their site, but to sum up what the said:
  1. Downloaded the PGP signature file. Should end with ".asc".
  2. From the command line, entered:
    3. gpg apache-tomcat-6.0.26-windows-x64.zip.asc

    Returned:

    gpg: Signature made 03/09/10 12:10:49 Eastern Standard Time using RSA key ID
    D3262722
    gpg: Can't check signature: No public key

  3. So the signature looks ok but there is no public key against which to validate it.
  4. Next step import the key. I did it the command line initially because I could not figure out how to use MIT's server at first (hint, follow directions and prefix key id with 0x, e.g. 0xD3262722).

    5. gpg --keyserver pgpkeys.mit.edu --recv-key D3262722

  5. Now I get the error that the signature is good but the key is not certified.

    6. WARNING: This key is not certified with a trusted signature!
    There is no indication that the signature belongs to the owner.

  6. Finally, I went into Kleopatra, my certificate manager, right-clicked the newly added certificate (Jean-Frederic Clere (Apache signing key)) and selected "Certify Certificate...". Here's where I did not do the verification I should have. I didn't really know that Jean-Frederic Clere exists and (if he does) he was an official Apache developer. Ideally I would meet with him in person with photo id(s) or at least verify in some way the key fingerprint of the signing key with him. Namely: Key fingerprint = B3F4 9CD3 B9BD 2996 DA90 F817 ED38 73F5 D326 2722.

  7. Despite skipping this crucial step, I think this was ok for demo purposes.

I was then able to run:
gpg apache-tomcat-6.0.26-windows-x64.zip.asc

And received the message:
gpg: Signature made 03/09/10 12:10:49 Eastern Standard Time using RSA key ID D3262722
gpg: Good signature from "Jean-Frederic Clere (Apache signing key) "
Posted by at No comments:

Wednesday, May 26, 2010

How do I Verify the signatures of My Downloads (Checksum)

Disclaimer: These are my thoughts. I am not sure if this is correct but this is what I currently believe. I may or may not change this as my.


Windows 7 does not have a built in Checksum utility unlike Linux, Mac and other O/S's. This creates a chicken and egg problem. How can I verify that the checksum software I download is legitimate if I currently don’t have a way to verify downloads. In other words, how I do I know the checksum software I just downloaded has not been tampered with?

The short answer is there is none. I really think Microsoft should have a checksum utility as part of their O/S.

The correct answer is find some other PC or O/S that presumably has a trusted checksum utility on it and verify the download against that one.

This is what I did. Its less than ideal and I wouldn’t recommend it for PCs that contain any sensitive or personal information (like most all of them). But at least this will get me in the habit of checking software I download.

Here are some options:

  1. Download from Microsoft

    2. Pros:
    It is from Microsoft’s web site so it is presumably safe.

    Cons:
    Unsupported
    Primitive UI - command line interface only

    Syntax: fciv.exe -sha1 C:\Downloads\file_to_verify.exe

    Note: I copied fciv.exe into “C:\Windows\System32” directory so that the path would not have to be specified. No other files were needed to be copied as it was a self-contained executable. In other words, it did not need to be installed.

  2. Download freeware

    3. Pros:
    Free
    Excellent User Interface - Incorporates into O/S well
    View hash by selecting file and clicking - File Properties - File Hashes

    Cons:
    May be a well known organization but I have never heard of them
    Is installed on my PC (trade-off from Pro above)

    http://www.beeblebrox.org/

  3. Download another freeware -

    4. Pros:
    Free
    Good User Interface
    Single executable

    Cons:
    Lacks name brand backing by well known company.

    http://raylin.wordpress.com/downloads



Note: As described in Wikipedia and by the US-Cert Web Site, the MD5 hash is now documented to be vulnerable and should be considered as compromised. The short of it being, if you are going to bother to verify the download, verify with something that is not vulnerable to tampering.
Posted by at No comments:
Subscribe to: Posts (Atom)