Validating a PGP key without personal contact

Only the paranoid survive. (Variously attributed to Andy Grove and Bill Gates.)

An increasing amount of Free Software is signed with PGP (OpenPGP, GnuPG) keys, and some software installation tools (notably ASDF-Install) will automatically verify such signatures upon installation.

For such a scheme to provide any semblance of security, it is important that you confirm that the key used for signing is valid, i.e. belongs to the person it claims it belongs to. For example, in order to safely install Cl-Yacc using ASDF-Install, you will need to confirm that the key used for signing cl-yacc-0.2.tar.gz does indeed belong to me.

The “proper” way of validating a PGP key consists in establishing an uninterrupted “chain of trust” between you and the key owner. In situations where you do not personally know the key owner, however, this can be difficult or impossibe; this document shows how to establish a weaker relation with a signer without significantly impairing security.

I assume that you are using GnuPG, which is Free Software. I also assume that you have set up a keyserver to use with GnuPG — if you haven't, just insert the following line in ~/.gnupg/gnupg.conf:

keyserver hkp://subkeys.pgp.net

What signed software looks like

A piece of downloadable software usually comes in the form of a tarball somewhere on the web; for example, CL-Yacc 0.2 is distributed as the tarball

https://www.irif.univ-paris-diderot.fr/~jch/software/files/cl-yacc-0.2.tar.gz

Such a tarball is signed if it is accompanied with a signature file with the extension .asc or sometimes .sig. For example, Cl-Yacc 0.2 is accompanied with the signature file

http://www.pps.jussieu.fr/~jch/software/files/cl-yacc-0.2.tar.gz.asc

Basic PGP concepts

A PGP key pair is a cryptographic data structure that can be used for signing e-mails and software, and for certifying other keys. In PKI terms, a key pair can serve as both a certificate and a certifying authority.

A key pair consists of a public key, which is published as widely as possible, and a secret key, which is kept private.

When a public key is valid, our copy of GnuPG will accept signatures made with this key pair; in other words, it will use this key as a certificate. When a public key is both valid and trusted, our copy of GnuPG will consider keys signed by that key as valid; in other words, it will use this key as a certifying authority.

This summary is very much simplified; for more information about the so-called PGP web of trust in its full glory, please see The Gnu Privacy Handbook.

Create a key pair for yourself

Even if you have no intention to use PGP for anything except verifying distributed software, you will need to have a public/private key pair. The private key will be used to bootstrap GnuPG by locally signing other people's signatures — making a note to GnuPG that a given key is valid.

The process of creating a public/private key pair in GnuPG is described in The Gnu Privacy Handbook. This only needs to be done once.

Get a local copy of the signing key

You will need to know the key id of the key you want to confirm. If you are using ASDF-Install, ASDF-Install will complain about an unknown key, and tell you the ID. Otherwise, download both the tarball and the signature file, and pass the signature file to GnuPG:

gpg cl-yacc-0.2.tar.gz.asc

GnuPG will complain about an unknown key, and tell you the ID. At that point, do

gpg --recv id
to download a local copy of the key.

Confirm the key from an independent source

You now need to confirm the key from an independent source i.e. neither the signature file nor the keyserver.

Find out more about the key

Armed with the ID of the key you are interested in, check the key on on your favourite keyserver interface (choose “verbose index”). You will find all the uids (e-mail addresses) of the person who signed the key, as well as the people who have signed that key.

Confirm the key itself

The easy case is when there is a reliable source for confirming the key you are interested in itself.

If the key has a uid ending in @debian.org, you can confirm it with the Debian developers directory. Typing the developer's name in the directory's form will give you the key fingerprint, a long string of hex digits. Ask GnuPG to compute the fingerprint of the key you obtained from the keyserver,

gpg --finger 0x77FF5F3B

and carefully compare the local fingerprint to the one you obtained from the Debian directory; if they match, it is extremely unlikely that the key is invalid.

If the key doesn't have a @debian.org uid, the owner might have put a key fingerprint on his homepage (for example, my key's fingerprint is at the bottom of my software page. While less secure than a well-known server such as db.debian.org, this may be enough for you to confirm that key.

Finally, the owner may have put the key itself on his home page. In that case, download the key, and do

gpg --import < keyfile.asc

If the key is valid, gpg should say something like

gpg: key 77FF5F3B: "Juliusz Chroboczek <jch@pps.jussieu.fr>" not changed

Once you have confirmed the key's validity, you should mark it as valid; this is called locally signing the key:

gpg --edit 0x77FF5F3B
Command> lsign

Do not use the sign command, unless you fully understand the implications.

Confirm some signer of the key, and mark it as trusted

If you have no reliable independent means of confirming the key, you will need to confirm some other key that has signed the key you are interested in. Go back to the key server interface, and look at the keys that have signed our key; if any of those is easy to confirm (for example by virtue of having a @debian.org uid), locally sign that key instead.

You should now tell GnuPG that you are willing to trust signatures made by the key you have just locally signed: in the gpg --edit interface, type trust and, when prompted, choose “trust this key fully”. GnuPG will then automatically consider all keys signed by the “fully trusted” key as valid.

If everything else fails...

If everything else fails, you may ask the signer by e-mail to confirm the key's fingerprint. While e-mail is insecure, you should be okay unless an attacker manages to subvert the DNS infrastructure at just the right time.

Examples

Example 1: Validating jch@pps.jussieu.fr

In order to validate my key, you could simply import it from the keyserver:

gpg --recv 0x77FF5F3B
then compute the key's fingerprint:
gpg --finger 0x77FF5F3B
and carefully compare it against the one published on my software page. If they match, mark my key as valid:
gpg --edit 0x77FF5F3B
Command> lsign
Command> save

Since I happen to be a trustworthy person (it's written on the Web, so it must be true), you might as well mark my key as trusted:

gpg --edit 0x77FF5F3B
Command> trust
Command> save

Example 1 bis: Validating jch@pps.jussieu.fr indirectly

A safer method is to notice that my key is signed by an @debian.org key:

gpg --recv 0x800969EF
gpg --list-sig 0x77FF6F3B

Go to the Debian developers directory, request Samuel Mimram's fingerprint, and compare it carefully with the one computed locally:

gpg --finger 0x800969EF

If the fingerprints match, it should be reasonable to validate Mimram's key and mark it as trusted (thus making him into a certification authority):

gpg --edit 0x800969EF
Command> lsign
Command> trust

At this point, GPG should have automatically marked my key as valid:

gpg --edit 0x77FF6F3B
...
pub 1024D/77FF6F3B ...
trust: unknown validity: full
Command> quit

Example 2: Validating edi@weitz.de

Edi Weitz is the author of a lot of useful ASDF-Installable software. Unfortunately, his key is not signed by any easy-to-validate key.

The simple solution would be to get his key from his web site. A safer solution would be to note that his key is signed by Christophe Rhodes' key, which in turn is signed by Martin Michlmayr's key, which is in the Debian directory.

Thus, by checking Martin's key against the Debian direcotory, then marking both Martin's and Christophe's keys as trusted, we get an uninterrupted chain of trust from the Debian directory to Edi Weitz.

Check the signature and verify the owner

If you have followed the above instructions, you should be able to do

gpg cl-yacc-0.2.tar.gz.asc

and have GnuPG confirm the signature. This, however, only verifies that it is exceedingly likely that the signature was made by the person who claims he made it; it does not say anything about how trustworthy the signer himself is.

Unless you already know the signer, you should work out for yourself whether that person is trustworthy. You could for example use a web search engine to see what kind of activities that person has been involed in; if everything else fails, ask about that person on comp.lang.lisp or a suitable newsgroup.

Back to my software page.

Juliusz Chroboczek