Skip to content

A tool that allows to verify GPG keys before importing them

License

Notifications You must be signed in to change notification settings

akai-z/gpg-key-fingerprint-verifier

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 

Repository files navigation

GnuPG Key Fingerprint Verifier

GnuPG Key Fingerprint Verifier is a shell tool that allows to run simple verification checks
on GPG keys to decide whether they are safe to import/add.

Beside verifying GPG keys with their fingerprints, the tool will also check whether GPG keys import files
contain any possible malicious keys that are embedded with the actual keys.
(Where the number of maximum allowed public keys in an import file is 1.)

This could be useful for automation purposes (Like in Docker for example),
where GPG keys fingerprints cannot be manually verified.

Piping GPG keys using curl to commands such as apt-key can be harmful.
And the goal of this verification tool is to raise awareness about that habit.

Requirements

  • GnuPG (Legacy versions are supported.)

Installation

Download using curl:

curl -fL -O https://raw.githubusercontent.com/akai-z/gpg-key-fingerprint-verifier/master/gpg-key-fingerprint-verifier

Or by using wget:

wget https://raw.githubusercontent.com/akai-z/gpg-key-fingerprint-verifier/master/gpg-key-fingerprint-verifier

Optionally, you could verify file integrity before using it. (Recommended)
Check file integrity verification section for more details.

Make the tool executable:

chmod +x gpg-key-fingerprint-verifier

Make the tool globally accessible:

sudo mv gpg-key-fingerprint-verifier /usr/local/bin/

File Integrity Verification

To verify file gpg-key-fingerprint-verifier integrity:

Compute the SHA-256 hash value of the file using a program like sha256sum:

sha256sum gpg-key-fingerprint-verifier

Once the hash value of the current state of the file is computed,
it should be compared with the one included in this repository (gpg-key-fingerprint-verifier.sha2).

Usage

gpg-key-fingerprint-verifier \
  --gpg-key-import-file=<gpg-key-import-file> \
  --gpg-public-key-fingerprint=<gpg-public-key-fingerprint> \
  --gpg-subkey-fingerprint=<gpg-subkey-fingerprint> \
  [--print-gpg-key-list] \
  [-q | --quiet]
  • --gpg-key-import-file: GPG key import file path.

  • --gpg-public-key-fingerprint: A 40 characters, without spaces, GPG public key fingerprint.
    (This will be ignored if --print-gpg-key-list is used.)

  • --gpg-subkey-fingerprint: A 40 characters, without spaces, GPG subkey fingerprint.
    This should be the default subkey (with record type sub) in the GPG key listing. (But other subkeys could be used.)
    Verifying GPG subkey fingerprint is optional, but recommended.
    (This will be ignored if --print-gpg-key-list is used.)

  • --print-gpg-key-list: Prints machine-parseable GPG key listing of the provided GPG key import file. (Optional)
    More details about the format of the machine-parseable GPG key listing could be found here.

  • -q, --quiet: Suppresses verification success message. (Optional)

Example

This example shows how the verification tool could be used with apt-key add command:

curl -fL -o <gpg-key-import-file> <gpg-key-import-file-url> && \

gpg-key-fingerprint-verifier -q \
  --gpg-key-import-file=<gpg-key-import-file> \
  --gpg-public-key-fingerprint=<gpg-public-key-fingerprint> \
  --gpg-subkey-fingerprint=<gpg-subkey-fingerprint> \

&& apt-key add <gpg-key-import-file>

The AND operator (&&) could be omitted, if the Set Builtin is used with the exit on error option (set -e).

Authors

License

GNU General Public License version 2