Wikka Security
Note The examples in this page were created using the 1.1.6.3 release. Please substitute whatever version you are currently working with, and be aware that actual checksums and signatures reproduced here may not match the release you're working with.
Authentication of Wikka distributions
Why?
History is rife with examples of F/OSS software distros being hacked and released, often from the same "authoritative" website. Digital signatures and checksums offer integrity checking by verifying the contents of a distro or tarball is what was intended to be released by the original developers. Digital signatures add authentication verification by providing some information as to what parties are associated with a specific distro or tarball. They can also be used to authenticate the checksums to add an extra level of security (checksum files can be updated with the "real" checksum of a hacked version, and therefore offer only limited integrity checking).Checksums
Checksums can only test for integrity. The idea behind checksums is that variations in the file being checksummed (down to a single byte) will produce distinctly different checksums, so that hacked or defective versions of a file will produce checksums that no longer match the checksum as originally generated. While checksums do not determine authenticity (i.e., who created the file), verifying checksums is better than doing nothing at all.We provide two checksums for each Wikka release: An MD5 ([md5]) and an SHA1 ([sha1]) checksum. (SHA1 checksums are considered more secure than MD5 checksums; the latter will eventually be phased out.)
Verifying checksums
Binary and source versions of both md5sum and sha1sum are usually shipped with most Unix installations as part of the GNU textutils package. (OSX users will probably need to install the textutils package manually using Fink or Darwin ports to access md5sum and/or sha1sum.)Binary and source versions of the md5sum program for Windows/Unix/OSX can be found here.
Binary and source versions of the sha1sum program for Windows can be found here.
Verifying checksums using either md5sum and/or sha1sum is trivial. First, make sure both the checksum file(s) and the release file are in the same directory. Then, use one or both of the following commands to verify the checksums:
$ md5sum -c Wikka-1.1.6.3.tar.gz.md5 Wikka-1.1.6.3.tar.gz: OK
Note: some versions of md5sum do not display any message if the checksum is correct.
$ sha1sum -c Wikka-1.1.6.3.tar.gz.sha1 Wikka-1.1.6.3.tar.gz: OK
Both of these results indicate a reasonable likelihood that the release file you downloaded hasn't been tampered with. However, please keep in mind that you have no way of determining who generated this checksum or release file (for this, you would have to try to determine authenticity as well). Again, you will need to determine where your "comfort level" lies with regards to verifying the WikkaWiki release files (or any other files you might download from the Internet).
Digital signatures
Digital signatures can be used to test for both authenticity and integrity. Each Wikka release is signed by a WikkaWiki Release Verification Key. For each Wikka release we post, clicking on the [sig] link will download an ASCII signature file that can be used to verify both the authenticity and integrity of the downloaded file. (Some users may find it necessary to right click and/or CTRL-click the link to ensure the signature is downloaded to the computer rather than displayed in the browser as a text file.)Verifying signatures using GnuPG
Most Unix/Linux and Mac OSX distributions ship with GnuPG installed. From the command line, typing gpg -h will quickly tell you whether or not GnuPG is installed on your machine. If not, click on the link above to download (OSX users can alternatively use Fink to install the application).Windows users can obtain GPG command-line binaries here. All of the commands above should also work on the Windows client.
Windows users might also be interested in GPG4Win, a set of integrated GPG utilities (both command-line and GUI-based).
The following examples assume you have a working GnuPG installation, and have downloaded a Wikka distribution as well as the associated signature file. We will use Wikka-1.1.6.3.tar.gz and Wikka-1.1.6.3.tar.gz.asc (both located in the same directory) for this example.
The first step is to verify the signature against the release file:
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5 gpg: Can't check signature: public key not found
We don't have the WikkaWiki Release Verification Key (key ID 952F79C5) in our "keyring," and will need to import it. You can either use a keyserver to do this:
$ gpg --keyserver pgp.mit.edu --recv-keys 952F79C5 gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
or download the signing key from our server and import it directly into your "keyring":
$ gpg --import wikkawiki_release_key.pub gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
At this point, you really don't have any way of checking the authenticity of this key (after all, anyone could have created a signing key with this name), but we'll address this in a moment. Re-verify the signature against the release file:
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5 gpg: Good signature from "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]>" gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
This tells you the signature is good (meaning this is the same key that was used to generate the signature you just verified, and that there is a strong likelihood the file has not been tampered with in any way), but you really don't know whose key this is. The next step would be to authenticate the public key to such a degree that you are personally comfortable that this key does, in fact, belong to the WikkaWiki development team. To do this, you generate the key's fingerprint:
$ gpg --fingerprint 952F79C5 pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]> Key fingerprint = EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
A cursory attempt at verifying the authenticity of this key might be to compare the fingerprint with a publicly-posted fingerprint (for instance, on a WikkaWiki developer's Wikki page or home page). A higher degree of verification would be achieved by actually meeting with this key's owner in a face-to-face environment, complete with an exchange of IDs to positively verify that the owner of this key is who you expect this person to be, and that they can confirm the fingerprint as being authentic.
It should be obvious that there is a continuum of verification that exists which will satisfy an individual's "comfort level" with regards to authenticity. It's highly unlikely WikkaWiki's developers would have the time to meet with each WikkaWiki end-user individually to verify digital fingerprints. Instead, one can achieve a fairly high level of authenticity by taking advantage of the "web of trust" that results from a key being digitally signed by one or more individuals. For instance, it might be acceptable to you to verify the published fingerprints for three of the WikkaWiki developers who signed this key, realizing that a hacker would have to go to great lengths (and be highly motivated by something more than just juvenile impulses) to hack into every WikkaWiki developers' servers or wiki pages and change fingerprints to match a forged signing key.
Determining who else has signed a key is easy:
$ gpg --list-sigs 952F79C5 pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]> sig 3 952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <[email protected]> sig 3 60AFDF6F 2007-04-01 Brian Koontz (Personal key) <[email protected]>
This indicates that not only is the key "self-signed," but that an additional person (me, in this case) has also signed the key. Using the steps outlined above, you can then determine if my signature is authentic (to some degree), maybe by looking up my digital fingerprint on my wiki page. Other developers may have also signed the key; by verifying multiple signatures, you can increase your "comfort level" as to the authenticity of the signing key.
(If this discussion has piqued your interest in PKI and digital signatures, the GnuPG site is a great place to start your research.)
CategoryEN