Evil 32: Real World Example

Verifying Signatures for Puppet Labs Packages

The example below walks you through the steps supplied in Puppet's docs for verifying the signatures on Puppet Packages. In this example the network has not been compromised.

Note: Puppet's docs have been updated to use their full GPG fingerprint since this example was written.

Expected

  • Download tarball and signature from puppet labs who has not tampered with the files
$ wget https://downloads.puppetlabs.com/puppet/puppet-3.6.2.tar.gz
2014-07-12 (6.57 MB/s) - ‘puppet-3.6.2.tar.gz’ saved
$ wget https://downloads.puppetlabs.com/puppet/puppet-3.6.2.tar.gz.asc
2014-07-12 (29.4 MB/s) - ‘puppet-3.6.2.tar.gz.asc’ saved

Compromised

  • Download tarball and signature from the evil mirror who has tampered with the files
$ wget http://mirror.evil32.com/puppet/puppet-3.6.2.tar.gz
2014-07-12 (417 MB/s) - ‘puppet-3.6.2.tar.gz’ saved
$ wget http://mirror.evil32.com/puppet/puppet-3.6.2.tar.gz.asc
2014-07-12 (73.4 MB/s) - ‘puppet-3.6.2.tar.gz.asc’ saved
  • Receive key as instructed to in Puppet's documenation
$ gpg --keyserver pgp.mit.edu --recv-key 4BD6EC30
gpg: requesting key 4BD6EC30 from hkp server pgp.mit.edu
gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
  • Receive key as instructed to in Puppet's documenation
$ gpg --keyserver pgp.mit.edu --recv-key 4BD6EC30
gpg: requesting key 4BD6EC30 from hkp server pgp.mit.edu
gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
gpg: key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 2)
  • List keys and check fingerprint is present
$ gpg --list-key --fingerprint 4bd6ec30
pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
  Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 4BD6 EC30
uid   Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
  • List keys and check fingerprint is present
$ gpg --list-key --fingerprint 4bd6ec30
pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
  Key fingerprint = 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 4BD6 EC30
uid   Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>

pub   4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
  Key fingerprint = 22A6 C997 D0F3 2A3D 984B  BE13 0F65 842D 4BD6 EC30
uid   Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
  • Verify that the signature is good
$ gpg --verify puppet-3.6.2.tar.gz.asc puppet-3.6.2.tar.gz
gpg: Signature made Tue 10 Jun 2014 12:44:55 PM EDT using RSA key ID 4BD6EC30
gpg: Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 47B3 20EB 4C7C 375A A9DA  E1A0 1054 B7A2 4BD6 EC30
  • Verify that the signature is good
$ gpg --verify puppet-3.6.2.tar.gz.asc puppet-3.6.2.tar.gz
gpg: Signature made Sat 12 Jul 2014 11:44:22 PM EDT using RSA key ID 4BD6EC30
gpg: Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:         There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22A6 C997 D0F3 2A3D 984B  BE13 0F65 842D 4BD6 EC30