Skip to end of metadata
Go to start of metadata

Symptom:

It is never a good idea to install software downloaded from the Internet without checking its integrity. The software could be changed during download, or the server could have been compromised and the software been replaced by a malicious version.

Starting 12st August 2014, all Men & Mice Open Source installer packages are signed with GNU privacy guard and the validity can be verified by checking the signatures.

The packages are signed with the key "4096R/C3AE2195" belonging to "Men & Mice Services (Men & Mice Software Signing Key) <services@menandmice.com>".
pub  4096R/C3AE2195  created: 2014-08-12  expires: 2015-01-09
usage: SC

pub   4096R/C3AE2195 2014-08-12 Men & Mice Services (Men & Mice Software
Signing Key) <services@menandmice.com>
Primary key fingerprint: 36C0 3D05 AE98 9D3F 8D6B  8F56 894F 4B4C C3AE 2195

Problem:

How can the signatures on Men & Mice Open Source installer packages be verified?

Solution

  1. install Gnu Privacy Guard from http://www.gnupg.de/ or using the package repositories (on Unix/Linux) or using Homebrew (http://mxcl.github.io/homebrew/) on MacOS X.
  2. Fetch and Import the Men & Mice signing key (public part) from a keyserver
    $ gpg --recv-keys C3AE2195
    gpg: requesting key C3AE2195 from hkp server keys.gnupg.net
    gpg: key C3AE2195: public key "Men & Mice Services (Men & Mice Software Signing Key) <services@menandmice.com>" imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0  valid:   3  signed:  42  trust: 0-, 0q, 0n, 0m, 0f, 3u
    gpg: depth: 1  valid:  42  signed: 189  trust: 27-, 0q, 0n, 9m, 6f, 0u
    gpg: depth: 2  valid:  48  signed: 110  trust: 39-, 0q, 0n, 5m, 4f, 0u
    gpg: depth: 3  valid:   2  signed:  59  trust: 2-, 0q, 0n, 0m, 0f, 0u
    gpg: next trustdb check due at 2014-08-17
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
    $ gpg --list-keys --fingerprint C3AE2195
    pub   4096R/C3AE2195 2014-08-12 [expires: 2015-01-09]
          Key fingerprint = 36C0 3D05 AE98 9D3F 8D6B  8F56 894F 4B4C C3AE 2195
    uid                  Men & Mice Services (Men & Mice Software Signing Key) <services@menandmice.com>
    
  3. Download the Software packages, including the file that ends in ".asc" which contains the signature. Example:
    $ wget http://support.menandmice.com/download/bind/linux/redhat/6.x/i386/9.9.3/ISCBIND-9.9.3-LOCALi686.rpm
    --2013-06-03 10:32:33--  http://support.menandmice.com/download/bind/linux/redhat/6.x/i386/9.9.3/ISCBIND-9.9.3-LOCALi686.rpm
    Resolving support.menandmice.com (support.menandmice.com)... 2001:4bd8::5501:1, 217.151.171.22
    Connecting to support.menandmice.com (support.menandmice.com)|2001:4bd8::5501:1|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 12060740 (12M) [application/x-redhat-package-manager]
    Saving to: ‘ISCBIND-9.9.3-LOCALi686.rpm’
    
    100%[====================================================================================================>] 12,060,740   715KB/s   in 23s    
    
    2013-06-03 10:33:03 (512 KB/s) - ‘ISCBIND-9.9.3-LOCALi686.rpm’ saved [12060740/12060740]
    
    $ wget http://support.menandmice.com/download/bind/linux/redhat/6.x/i386/9.9.3/ISCBIND-9.9.3-LOCALi686.rpm.asc
    --2013-06-03 10:33:07--  http://support.menandmice.com/download/bind/linux/redhat/6.x/i386/9.9.3/ISCBIND-9.9.3-LOCALi686.rpm.asc
    Resolving support.menandmice.com (support.menandmice.com)... 2001:4bd8::5501:1, 217.151.171.22
    Connecting to support.menandmice.com (support.menandmice.com)|2001:4bd8::5501:1|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 493 [application/octet-stream]
    Saving to: ‘ISCBIND-9.9.3-LOCALi686.rpm.asc’
    
    100%[====================================================================================================>] 493         --.-K/s   in 0.001s  
    
    2013-06-03 10:33:07 (825 KB/s) - ‘ISCBIND-9.9.3-LOCALi686.rpm.asc’ saved [493/493]
    
    
  4. Verify the signature:
    $ gpg --verify ISCBIND-9.9.3-LOCALi686.rpm.asc
    gpg: Signature made Thu 30 May 2013 10:04:00 PM CEST using RSA key ID 19F9BF33
    gpg: Good signature from "Men & Mice Software Signing Key <services@menandmice.com>"