Difference between revisions of "NCSU EDA Wiki:Kit verification"

From NCSU EDA Wiki
Jump to: navigation, search
(Just trying to make it a little simpler and more readable....)
(Updated gpg keys)
Line 1: Line 1:
 
We have detached OpenPGP-compliant signature files available for all genuine NCSU design kits.
 
We have detached OpenPGP-compliant signature files available for all genuine NCSU design kits.
When you download a kit you should also download the corresponding .sig file which is a  
+
Generally our kits are delivered as .tar files which include a README file, a compressed
detached signature file.   You can verify the integrity of the gzipped tar file using an
+
.tar file with extension .tar.gz, and a detached signature file which can be used to verify
OpenPGP-compliant encryption/decryption tool such as gpg, which you can get at [http://www.gnupg.org gnupg.org].
+
that the compressed .tar file was signed by NCSU and has not been changed since.
 +
You can verify the integrity of the compressed tar file using an OpenPGP-compliant  
 +
encryption/decryption tool such as gpg, which you can get at [http://www.gnupg.org gnupg.org].
  
Here's an example of how to verify a design kit download using gpg:
+
Here's an example of how to verify a design kit download using gpg, once you have
 +
obtained our public key:
  
 
<pre>
 
<pre>
/tmp/downloads >/bin/ls
+
/tmp/downloads <b>:ls -l
ncsu-cdk-1.5.1.tar.gz ncsu-cdk-1.5.1.tar.gz.sig
+
total 184
/tmp/downloads >gpg --verify ncsu-cdk-1.5.1.tar.gz.sig
+
-rw------- 1 eda_help ncsu 184320 Aug 31 09:07 NCSU-FreePDK15-1.1.tar
gpg: Signature made Tue 20 Feb 2007 01:10:28 PM EST using DSA key ID 9E45E7F7
+
/tmp/downloads <b>:tar xvf NCSU-FreePDK15-1.1.tar
 +
README
 +
ncsu-FreePDK15-1.1.tar.gz
 +
ncsu-FreePDK15-1.1.tar.gz.sig
 +
/tmp/downloads <b>:gpg --verify ncsu-FreePDK15-1.1.tar.gz.sig  
 +
gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
 +
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
 
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
 
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
 
</pre>
 
</pre>
Line 17: Line 26:
  
 
<pre>
 
<pre>
gpg: Signature made Tue 20 Feb 2007 01:10:28 PM EST using DSA key ID 9E45E7F7
+
gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
gpg: please do a --check-trustdb
+
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
 
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
 
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
 
gpg: WARNING: This key is not certified with a trusted signature!
 
gpg: WARNING: This key is not certified with a trusted signature!
 
gpg:          There is no indication that the signature belongs to the owner.
 
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 23A8 3A6B 5255 61BD 1A9A 0C19 0F97 C413 9E45 E7F7
+
Primary key fingerprint: 78DF 01A2 B33D 018D 3176 80A5 3140 7780 3632 22AC
 
</pre>
 
</pre>
  
Line 31: Line 40:
 
verification with a person you trust knows the correct key fingerprint.
 
verification with a person you trust knows the correct key fingerprint.
  
For the purposes of verifying our design kit, it is probably safe to assume that
+
However, you can be fairly certain that the kit you download is genuine if
if you download the key from the  
+
you download our key from the  
[http://pgp.mit.edu:11371/pks/lookup?search=0x9E45E7F7&op=index&fingerprint=on MIT Keyserver]
+
[https://pgp.mit.edu/pks/lookup?search=0x363222AC&op=vindex&fingerprint=on&exact=on MIT Keyserver]
and get the same fingerprint that you get from our website you are
+
and make sure that the key fingerprint matches the fingerprint we sent you
using the right key.
+
in your registration email and the fingerprint reported below:
 
 
Here's [http://pgp.mit.edu:11371/pks/lookup?search=0x9E45E7F7&op=index&fingerprint=on our key]:
 
 
 
<pre>
 
-----BEGIN PGP PUBLIC KEY BLOCK-----
 
Version: GnuPG v1.4.6 (GNU/Linux)
 
 
 
mQGiBEXbMRoRBAC/EY/BuYf4oTXYFT2dKLMAOqGGPmR7I4Xufs3KqzijV9i3/aGs
 
COexQ5FEKuJZbuSc1vTmcWcUkIpoXcZhLReWc1uYPw824ylGUGOiP7cD+v+g71iq
 
F1By1YMgfU6edKa0JzzNXydh9XJj/7ELD5QzIUn5kl5MJqElt3O3yMDsjwCgiHzZ
 
qnbqWGTpCignFYUDOKCXoM0D/1/kv3YLCbqdoGkAZOCsUKBH3hyfWgET1A7LQ22b
 
7J1mN9DvTWnBxeULoSOi8LfeQSl/SAY+/vwEpzIch1Xx8W86gvBsltSnvvUr/LDB
 
Muqvtj2RHPqEpv+mPF9ZWItTSuGR0oP0n7haDE4tBYhlgdR3ZoVD24I0ombHrUX5
 
tCQdA/9FH7YxdH1/bsMVoAuwAs+baNpDH8M/9D/KUVOXJ6X6qgwALt/R3SIW2aCO
 
LKpWFjYwt9offlm7cpXZ1YbNHbKGCQK0CX6oVzLRoCJlllKA1XN5Bgo7xzIf6sbC
 
+flBKgS8uV4lHyBNffI6/6lckHG4ONXUGAH7AsJYAq8+WAyLr7QmTkNTVSBFREEg
 
SGVscCBEZXNrIDxlZGFfaGVscEBuY3N1LmVkdT6IYAQTEQIAIAUCRdsxGgIbAwYL
 
CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEA+XxBOeRef3kD4An1j1t4TtYwx52HgZ
 
J2m1CWKPgSXFAKCF+ImpI6xeYELk7wngS1Haach1/4hGBBARAgAGBQJF2zY6AAoJ
 
EGoS0rnsfWbB0gMAoI+by9ScpuDHWoQuYyGdusjhThbuAJ0dPJkRrvwQafLWcWEh
 
R69sFQP3iLkCDQRF2zEnEAgAx1PZOABv8PA7v90bzGHD3q9dLD7ToLPfugn2RXWH
 
JxcttNWLFdM6E7xPjfPoLe7Y7w+T3W1XSSUb8h8/PcALx4KE4tK23RE26ydReJnx
 
6dxgBCtPO5nmoAsNxrjDlVQ+YhNA/tty7SHrM9LvRQMegBJm3NBMp4Nx/wQfkA4Y
 
On8WjON0yhB3WSJkVb0A9qIcLqo6Fhy5RSEUm0dohHQ/EPdTBaepplfsXW/GKOuD
 
fNUAVK6MSdS3mw2oRqASKE8HffSKHtS+XJXraWRsmyOomK2H0/fMd0Rvu82X1prB
 
wyLJlKpbMTQZxHrM98cWn69wKO4ZIjQS7DADEKfcXxq+rwADBQgAxlHg2LsPbiRJ
 
xSX/zT1CWipvPuJ7IlwlOEuMn2MZ87ezg3si8DQAAwT+RWKPuDXxUTvQtQ5d/tIY
 
3dsk1EpngQn6i498XjbBW3WaR0FNuf8Y5rLjfEZvFTUwygdJu2psybwtSu56Fyox
 
e2U4XoBddu9VBuIFwuCbvrSjdroxV4VjqcqxLLdiM0LAORhV6vHXzJVpvkaMiHm5
 
gdALuFBgPC6/yturO4a8XP6asvXrGavcXlvm69s/szP933gGGqo0OynGL/XcY/x/
 
u7fD1vpQ2icGhyEGHDB3RghKIJ+04X4DGCelCn+s3waBCgQP1Ofs+4zERcAtRn4b
 
MnYaF4MQe4hJBBgRAgAJBQJF2zEnAhsMAAoJEA+XxBOeRef3q9QAn15FR7HmoXa4
 
r1F0Hf4I3DG8qs4IAJ0W/mMKgwBHv1cacj8TZjFNQmfr6Q==
 
=HslP
 
-----END PGP PUBLIC KEY BLOCK-----
 
</pre>
 
 
 
and the associated fingerprint:
 
  
 
<pre>
 
<pre>
Primary key fingerprint: 23A8 3A6B 5255 61BD 1A9A 0C19 0F97 C413 9E45 E7F7
+
Key fingerprint = 78DF 01A2 B33D 018D 3176 80A5 3140 7780 3632 22AC
 
</pre>
 
</pre>
  
 
For more information on public key cryptography and verification  
 
For more information on public key cryptography and verification  
 
see [http://www.gnupg.org gnupg.org].
 
see [http://www.gnupg.org gnupg.org].

Revision as of 08:55, 31 August 2015

We have detached OpenPGP-compliant signature files available for all genuine NCSU design kits. Generally our kits are delivered as .tar files which include a README file, a compressed .tar file with extension .tar.gz, and a detached signature file which can be used to verify that the compressed .tar file was signed by NCSU and has not been changed since. You can verify the integrity of the compressed tar file using an OpenPGP-compliant encryption/decryption tool such as gpg, which you can get at gnupg.org.

Here's an example of how to verify a design kit download using gpg, once you have obtained our public key:

/tmp/downloads <b>:ls -l
total 184
-rw------- 1 eda_help ncsu 184320 Aug 31 09:07 NCSU-FreePDK15-1.1.tar
/tmp/downloads <b>:tar xvf NCSU-FreePDK15-1.1.tar 
README
ncsu-FreePDK15-1.1.tar.gz
ncsu-FreePDK15-1.1.tar.gz.sig
/tmp/downloads <b>:gpg --verify ncsu-FreePDK15-1.1.tar.gz.sig 
gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"

Don't panic if you get something like this...

gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 78DF 01A2 B33D 018D 3176  80A5 3140 7780 3632 22AC

...but it is an indication that you cannot be 100% certain that the file has not been changed. The only way to verify with complete certainty that the file has not been changed is to check the key fingerprint through a secondary channel that cannot be spoofed. The best choice is face-to-face verification with a person you trust knows the correct key fingerprint.

However, you can be fairly certain that the kit you download is genuine if you download our key from the MIT Keyserver and make sure that the key fingerprint matches the fingerprint we sent you in your registration email and the fingerprint reported below:

Key fingerprint = 78DF 01A2 B33D 018D 3176  80A5 3140 7780 3632 22AC

For more information on public key cryptography and verification see gnupg.org.