How to verify the integrity of a linux tarball?

1.9k views Asked by At

The tarballs of the Linux releases from https://www.kernel.org/ can be verified with .sign files. There's no information how to verify the tarball on the website or in the README in the tarball.

1

There are 1 answers

1
Elliott Frisch On

The following if derived from the instructions Linux kernel releases PGP signatures on the kernel.org site. Which say (in part), first (and only one time) install the public key like

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

Then you can verify signatures like

$ xz -cd linux-3.1.5.tar.xz | gpg --verify linux-3.1.5.tar.sign -

with an expected output something like

gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman
     (Linux kernel stable release signing key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E