Reputation: 115
Verify Authenticity by signature verification Windows 10
I am trying to verify a signature of a file using my windows 10 and I believe I might have reached an egg and chicken problem, looking forward some pros advices.
I was trying to verify the signature of the Maven binary (https://maven.apache.org/download.cgi), so I found this documentation https://infra.apache.org/release-signing#verifying-signature However, I am using Windows 10, that do not come built in with the gpg: 'gpg' is not recognized as an internal or external command.
So I need to download the GNUPG so that I can use it to verify the signature of my Maven binary.
However, to install the GNUPG (https://www.gnupg.org/download/index.html) I should also verify the .sig file from the GNUPG.
Does anyone know how can I do the verification of the GNUPG file using any Windows 10 built in command line? Or the most advisable strategy?
Thank you a lot
Regards
Upvotes: 1
Views: 1097
Answers (1)
Reputation: 22926
Personally I think you have to draw the line somewhere.
For me, I would either, compile GPG from source (where if you wish you can/others can audit the code), or use the published SHA-1 (not sure why they still use SHA-1) hashes:
d928d4bd0808ffb8fe20d1161501401d5d389458 gnupg-2.2.27.tar.bz2
9f2ff2ce36b6537f895ab3306527f105ff95df8d gnupg-w32-2.2.27_20210111.exe
5e620d71fc24d287a7ac2460b1d819074bb8b9bb libgpg-error-1.42.tar.bz2
6b18f453fee677078586279d96fb88e5df7b3f35 libgcrypt-1.9.3.tar.bz2
740ac2551b33110e879aff100c6a6749284daf97 libksba-1.5.1.tar.bz2
ec4f67c0117ccd17007c748a392ded96dc1b1ae9 libassuan-2.5.5.tar.bz2
3bbd98e5cfff7ca7514ae600599f0e1c1f351566 ntbtls-0.2.0.tar.bz2
f9d63e9747b027e4e404fe3c20c73c73719e1731 npth-1.6.tar.bz2
b8b88cab4fd844e3616d55aeba8f084f2b98fb0f pinentry-1.1.1.tar.bz2
5ae07a303fcf9cec490dabdfbc6e0f3b8f6dd5a0 gpgme-1.15.1.tar.bz2
3f8a0ba9c7821049d51b982141a2330a246beb55 scute-1.7.0.tar.bz2
61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2
e708d4aa5ce852f4de3f4b58f4e4f221f5e5c690 dirmngr-1.1.1.tar.bz2
a7d5021a6a39dd67942e00a1239e37063edb00f0 gnupg-2.0.31.tar.bz2
13747486ed5ff707f796f34f50f4c3085c3a6875 gnupg-1.4.23.tar.bz2
d4c9962179d36a140be72c34f34e557b56c975b5 gnupg-w32cli-1.4.23.exe
Then, from there on in, you can retrospectively verify the signature.
You're right to a degree it becomes a chicken and egg problem, which is a recurring theme in cryptographic engineering, again, whereby, you have to draw the line somewhere.
I mean, are you going to be able to verify that the p and q primes used by GPG's private key (that's signing the binaries) have been validated using a correct implementation of Miller-Rabin primality test?
Or should it be an elliptic curve based key that the entropy used to generate the private scalar was high? ...
No! so don't worry too much, you're already an order of magnitude beyond the average user's OpSec.
Upvotes: 1
Related Questions
- Checking digital signature on EXE
- How to verify digital signature in C#
- Digital signature verification - WinVerifyTrust keeps returning true
- How to verify that my orgainization signed a trusted windows binary?
- Verify digital signature within system32/drivers folder
- C# verify file certificate
- How do i make sure my collected signature on wpf is legal in court
- How to validate a digital signature?
- Verify Authenticode signature as being from our company for automatic updater
- Checking digital signature programmatically