NCSU EDA Wiki:Kit verification

From NCSU EDA Wiki
Jump to: navigation, search

We have detached OpenPGP-compliant signature files available for all genuine NCSU design kits. Generally our kits are delivered as .tar files which include a README file, a compressed .tar file with extension .tar.gz, and a detached signature file which can be used to verify that the compressed .tar file was signed by NCSU and has not been changed since. You can verify the integrity of the compressed tar file using an OpenPGP-compliant encryption/decryption tool such as gpg, which you can get at gnupg.org.

Here's an example of how to verify a design kit download using gpg, once you have obtained our public key:

>ls -l
total 184
-rw------- 1 eda_help ncsu 184320 Aug 31 09:07 NCSU-FreePDK15-1.1.tar
>tar xvf NCSU-FreePDK15-1.1.tar 
README
ncsu-FreePDK15-1.1.tar.gz
ncsu-FreePDK15-1.1.tar.gz.sig
>gpg --verify ncsu-FreePDK15-1.1.tar.gz.sig 
gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"

Don't panic if you get something like this...

gpg: assuming signed data in `ncsu-FreePDK15-1.1.tar.gz'
gpg: Signature made Wed 26 Aug 2015 10:03:41 AM EDT using RSA key ID 363222AC
gpg: Good signature from "NCSU EDA Help Desk <eda_help@ncsu.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 78DF 01A2 B33D 018D 3176  80A5 3140 7780 3632 22AC

...but it is an indication that you cannot be 100% certain that the file has not been changed. The only way to verify with complete certainty that the file has not been changed is to check the key fingerprint through a secondary channel that cannot be spoofed. The best choice is face-to-face verification with a person you trust knows the correct key fingerprint.

However, you can be fairly certain that the kit you download is genuine if you download our key from the MIT Keyserver and make sure that the key fingerprint matches the fingerprint we sent you in your registration email and the fingerprint reported below:

Key fingerprint = 78DF 01A2 B33D 018D 3176  80A5 3140 7780 3632 22AC

For more information on public key cryptography and verification see gnupg.org.