This is the second part of a series on basic Linux commands and techniques for system administrators. In the last part of the series we asked and answered the question What is tail?. Today we take a look on file integrity checking.
If you are a system administrator and you do not leave the whole administration to the powerful package management system of your distribution of choice, you will most likely compile at least some software yourself. In that case you need to download one or more files from the internet. However, this is a potential security issue, as files could have been compromised by a third party – either directly on a mirroring server or on the way from the download server to your machine.
One-Way Encryption To The Resuce
To verify, that the file has not been touched by a third party, you can compare the MD5 sum of the downloaded file with a sum provided by the distributor of the file. MD5 is a cryptographic hash function, basically a one-way encryption. You take the data file as input and calculate the MD5 sum. Because its one-way, you can not regenerate the input (data file) from the output (MD5 sum). However, if you supply the same input (data file), you will always get the same output (MD5 sum). If a file had been compromised, the data file would have changed and you would get a wrong MD5 sum, because the input changed. If the MD5 sum you got from the distributor of the file and the MD5 sum you get on your local machine match, it means that you can use the file without any doubt.
On to a practical example. We’ll choose the popular mail server Exim. In the case of Exim, the MD5 sum of the data files is distributed with the announcement of each new release. In other cases, you might be able to download files that basically use the syntax filename.tar.gz.md5 from the main FTP server. Those files contain the MD5 sum of the respective file.
To get the MD5 sum download the file and use md5sum to calculate the MD5 sum of the local file.
wget ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.54.tar.gzmd5sum exim-4.54.tar.gz07632e59a1ba0e9c409d0c2ea5f58816 exim-4.54.tar.gz
Compare the MD5 sum you get with the MD5 sum provided in the original release annoucement. If it’s equal, the file has not been compromised and can be used safely.
However, there is a problem with the MD5 approach. This method of verifying file integrity can only be used, if you know that the MD5 sum you check against has not been altered itsself and is 100% correct. If the server of the distributor had been compromised and the files had been changed, the compromiser might have changed the MD5 hashes provided on the server as well.
Even More Security With A Digital Signature
A more secure method of verifying file integrity is to use public-key cryptography. The Exim developers used their cryptographic private keys to sign the distributed files digitally. You can use a tool like GnuPG to verify that digital signature.
First download the signature file (normally filename.tar.gz.sig or filename.tar.gz.asc) from the FTP server and use gpg to verify the signature. If gpg is not already installed, use apt-get install gnupg on Debian systems.
wget ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/exim-4.54.tar.gz.siggpg exim-4.54.tar.gz.sig
When you verify a file of your favourite software for the first time, you will get an error message from gpg, because it does not have the key the deleveoper used to sign the file.
gpg: Signature made Tue Oct 4 10:55:47 2005 CEST using RSA key ID FB0F43D8gpg: Can't check signature: public key not found
To verify the integrity of the file, you need to import the key from a public key server. You can find the key ID you need to import in the message you got earlier.
gpg --keyserver random.sks.keyserver.penguin.de --recv-key FB0F43D8gpg: requesting key FB0F43D8 from hkp server random.sks.keyserver.penguin.degpg: key FB0F43D8: public key "Philip Hazel <ph10 @cam.ac.uk>" importedgpg: no ultimately trusted keys foundgpg: Total number processed: 1gpg: imported: 1 (RSA: 1)
If everything goes along well, gpg will tell you that it imported the key successfully. You can now make a second attempt at verifying the file.
gpg exim-4.54.tar.gz.siggpg: Signature made Tue Oct 4 10:55:47 2005 CEST using RSA key ID FB0F43D8gpg: Good signature from "Philip Hazel <ph10 @cam.ac.uk>"gpg: aka "Philip Hazel <ph10 @cus.cam.ac.uk>"Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B 46E5 9766 E084 FB0F 43D8
Congratulations. If you get the message above, the file you downloaded is genuine and the software can be compiled on your machine without any security concerns.
Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!
