Tag Archives: signature

How to Verify OpenSSH Source

Download the source, signature, and old key from http://www.openssh.com/portable.html. I picked 3 different mirrors:

Download the current key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

Verify the current key is signed with the old key:

Kenjis-MacBook-Air:ssh kenji$ gpg --import DJM-GPG-KEY.asc

gpg: key 86FF9C48: "Damien Miller (Personal Key) <[email-removed]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Kenjis-MacBook-Air:ssh kenji$ gpg --import 0xD3E5F56B6D920D30.asc

gpg: key 6D920D30: public key "Damien Miller <[email-removed]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Kenjis-MacBook-Air:ssh kenji$ gpg --check-sigs 0xD3E5F56B6D920D30

pub   3200R/6D920D30 2013-12-10 [expires: 2021-01-01]
uid                  Damien Miller <[email-removed]>
sig!         86FF9C48 2013-12-10  Damien Miller (Personal Key) <[email-removed]>
sig!3        6D920D30 2013-12-10  Damien Miller <[email-removed]>
sub   3200R/672A1105 2013-12-10 [expires: 2021-01-01]
sig!         6D920D30 2013-12-10  Damien Miller <[email-removed]>

Verify the signature of the openssh source.

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz

gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Good signature from "Damien Miller <[email-removed]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59C2 118E D206 D927 E667  EBE3 D3E5 F56B 6D92 0D30

Full Process

Download the OpenSSH source, signature, and old key as described above.

Use pgpdump to determine the full Key ID used to sign the tarball.

Kenjis-MacBook-Air:pgpdump-0.29 kenji$ ./pgpdump openssh-7.1p2.tar.gz.asc 
Old: Signature Packet(tag 2)(428 bytes)
	Ver 4 - new
	Sig type - Signature of a binary document(0x00).
	Pub alg - RSA Encrypt or Sign(pub 1)
	Hash alg - SHA512(hash 10)
	Hashed Sub: signature creation time(sub 2)(4 bytes)
		Time - Wed Jan 13 17:13:46 PST 2016
	Sub: issuer key ID(sub 16)(8 bytes)
		Key ID - 0xD3E5F56B6D920D30
	Hash left 2 bytes - d2 4c 
	RSA m^d mod n(3197 bits) - ...
		-> PKCS-1

If you don’t have pgp dump, you can use gpg --verify to see the short key ID:

Kenjis-MacBook-Air:ssh kenji$ gpg --verify openssh-7.1p2.tar.gz.asc openssh-7.1p2.tar.gz
gpg: Signature made Wed Jan 13 17:13:46 2016 PST using RSA key ID 6D920D30
gpg: Can't check signature: public key not found

OR you can manually parse the signature packet as described below.

Download the signature key from the MIT PGP Public Key Server at 0xD3E5F56B6D920D30.

The OpenSSH mailing list (https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-December/031905.html) shows that Damien Miller is the signer of the portable source. Search for all of his keys on the MIT Key Server https://pgp.mit.edu/pks/lookup?search=Damien+Miller&op=index. This shows 0xD3E5F56B6D920D30 and 0xCE8ECB0386FF9C48 (i.e. DJM-GPG-KEY.asc) belonging to Damien Miller. Even though the 0xCE8ECB0386FF9C48 is listed as revoked, I think the keys can be trusted; because DJM-GPG-KEY.asc continues to be posted on the OpenSSH mirrors, and the creation date for 0xD3E5F56B6D920D30 is consistent with the mailing list announcement.

Verify the signature on the current key and the source as described above.

PGP Signature Parsing

Extract the raw signature:

Version: GnuPG v2


Copy this into a file.

Convert the base64 to binary and then view in a hex editor:

base64 -D <file> | xxd
0000000: 8901 ac04 0001 0a00 0605 0256 96f6 4a00  ...........V..J.
0000010: 0a09 10d3 e5f5 6b6d 920d 30d2 4c0c 7d17  ......km..0.L.}.
0000020: 7cbb 53fc f910 d7a0 5df6 ba1b 4ec1 0018  |.S.....]...N...
0000030: df57 09cf 6801 7f68 e705 5fc1 133c 4134  .W..h..h.._..<A4
0000040: 2be9 39b1 3d10 208c c962 b445 20a3 1d00  +.9.=. ..b.E ...
0000050: 717f 0a16 e187 6400 0ac1 6716 dec5 7b54  q.....d...g...{T
0000060: 7d73 a551 d701 d5c7 383a a82f bee7 e4b4  }s.Q....8:./....
0000070: cb79 b718 35ed 548a bfcb 48db 7982 4f42  .y..5.T...H.y.OB
0000080: 1bb3 7769 a73f 8f34 01f6 2f37 0a59 35db  ..wi.?.4../7.Y5.
0000090: 1ebe cf43 3638 aae7 d9df 7e91 e800 cab9  ...C68....~.....
00000a0: 7a9f 5050 cdc7 ba0b 1227 a14e b482 ec08  z.PP.....'.N....
00000b0: 4833 759a 82ab f675 1049 3645 bf0a 2df0  H3u....u.I6E..-.
00000c0: a969 d343 a20e 0f90 3ffc 40cb 556d 12a9  .i.C....?.@.Um..
00000d0: 0d7f e27e e658 19a4 a224 70d3 1cc5 c519  ...~.X...$p.....
00000e0: e71c a8e1 c081 aac2 3e68 3a80 c5cd 939a  ........>h:.....
00000f0: e97b 4e70 8c21 f555 de99 3979 1aaf 996a  .{Np.!.U..9y...j
0000100: 2691 140d 5344 7b15 5d54 f54e 0494 801d  &...SD{.]T.N....
0000110: ccbb 2dcf c8e1 4798 7119 94bc 9f3e b355  ..-...G.q....>.U
0000120: fd68 e857 5f33 a2c5 4677 67a0 181f 232b  .h.W_3..Fwg...#+
0000130: ac73 7eda 4f7a 8567 7625 8fc1 2233 e761  .s~.Oz.gv%.."3.a
0000140: 3ac4 1b68 0955 ebd2 4b23 cf7c 1b83 1fbd  :..h.U..K#.|....
0000150: 34e5 45e7 c668 d7d7 8de8 d7f5 1f81 0fdc  4.E..h..........
0000160: ad1a 3439 e333 996c 072a 6118 6939 5bbb  ..49.3.l.*a.i9[.
0000170: 1051 cd2e e18b f0e1 16dc f551 95f0 8fd9  .Q.........Q....
0000180: 49d7 70e5 63eb a0d4 179a c3b4 e9e3 b67b  I.p.c..........{
0000190: 2f0f 3942 3809 a293 7bc5 167d cef8 3179  /.9B8...{..}..1y
00001a0: 05f7 79bc 303e d576 6078 9580 ac16 2f    ..y.0>.v`x..../
Packet Tag: 0x89 = Old Format Packet, Tag = 2, 2 octet packet length
Packet Length: 0x01AC = 428 bytes
Signature Version: 0x04 = Version 4
Signature Type: 0x00 = Binary Signature
Signature Algorithm: 0x01 = RSA
Hash Algorithm: 0x0A = SHA-512
Hashed Subpacket(s) Size: 0x0006 = 6 bytes
Hashed Subpacket: 0x05025696f64A
   Size: 0x05 = 5 bytes
   Type: 0x02 = Signature Creation Time
   Time: 0x5696f64a = Wed Jan 13 17:13:46 PST 2016
Unhashed subpacket(s) size: 0x000A = 10 bytes
Unhashed subpacket: 0x09 10D3 E5F5 6B6D 920D 30
   Size: 0x09 = 9 bytes
   Type: 0x10 = placeholder for backwards compatibility
   Key ID: D3E5F56B6D920D30
Left 16 bits of hash: 0xD24C
MPI Length: 0x0C7D = 3197 bits = 400 bytes