On Thu, Dec 16, 2010 at 6:28 PM, Binand Sethumadhavan binand@gmail.com wrote:
2010/12/16 Sagar Belure sagar.belure@gmail.com:
user@ubuntu:~$ gpg --import id_public_key.asc user@ubuntu:~$ gpg --verify ImmunityDebugger_1_80_setup.exe.sig gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6E32 9351 3A61 5274 6FBF 8273 ABCA 792D 54BF 70F2
Is this the proper way of checking the integrity of application with .sig and public key files?
You have got the process right to the extend of verifying that ImmunityDebugger_1_80_setup.exe wasn't modified since the time it was signed by id_public_key.asc, but the next question is whether you trust id_public_key.asc to be actually the key of the person/organization it claims to be. In the WoT scenario, you either know the person personally and hence will ask him whether they key really belongs to him, or alternatively, you'll get someone whom you trust to vouch for the key. If you feel that the key indeed belongs to Immunity, then you can "trust" it yourself - by setting it as a trusted key. Further, you'll sign the key yourself so that someone who trusts you can use your signature to base his decision on the same question.
Thanks for the explanation. That was very neat.
Sorry if it sounds a silly question, but this is the first time I'm dealing with .sig file instead of md5/sha1 hashes.
The .sig file is pretty much a SHA1 hash that is supposed to be tamper-proof. Without the signature, someone can possibly alter the data being hashed and the hash itself.
Binand