Verifying Episode Integrity

Posted
Modified

We provide several methods to assure that you are in fact downloading our authorized and unaltered final cuts.

NOTE: If you’re looking for an automatic way of doing this (currently only the SHA256 sums are supported, but GnuPG signatures may be supported in the future as well), I’d recommend the feed verifier script I wrote. More info on this can be found in our site transition announcement post.

SHA256

In the show notes for an episode, you will see a field at the top that says SHA256 and then a long string. Verifying SHA256 sums are fairly easy on GNU/Linux, other *nixes, and Mac OS X.

To ensure that these checksums have not been tampered, we have previously offered GnuPG-signed checksums of the checksum list. However, it remains to be seen if these checksums will be enabled for the new site or not. We do, of course, still sign our episodes (and GnuPG signatures inherently do file integrity).

GNU/Linux

You should have sha256sum(1) installed by default. Let’s use S0E1 as an example.

The show notes show the sum for MP3 as e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d.

Let’s run sha256sum against the file we/our podcast client/etc. downloaded:

[user@host Sysadministrivia]$ pwd
/home/user/gPodder/Downloads/Sysadministrivia
[user@host Sysadministrivia]$ sha256sum s0e1.body.bongos.mp3 
e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d  s0e1.body.bongos.mp3

Now, we compare the SHA256 in the show notes to the one we just generated. If they’re the same, rad! It’s all gravy (or someone compromised our shownotes- if you’re that paranoid, you’ll want to use the GnuPG method below).
If they’re different, your download either did not complete or your network admin is doing funky things with your stream. You should buy them donuts to make them less surly.

Mac OS X/macOS

If you prefer a GUI, check out hashtab. Otherwise, read on.

You should have shasum(1) installed by default. Let’s use S0E1 as an example.

The show notes show the sum MP3 as e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d.

Let’s run shasum against the file we/our podcast client/etc. downloaded (if you used iTunes, these are in ~/Music/iTunes/iTunes Media/Podcasts/Sysadministrivia/ – do note, however, that iTunes changes the filename from upstream (us)):

host:tmp user$ shasum -a256 s0e1.body.bongos.mp3
e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d  s0e1.body.bongos.mp3

Now, we compare the SHA256 in the show notes to the one we just generated. If they’re the same, rad! It’s all gravy (or someone compromised our wiki- if you’re that paranoid, you’ll want to use the GPG method below).
If they’re different, your download either did not complete or your network admin is doing funky things with your stream. You should buy them donuts to make them less surly.

*BSD/Other *nixen

You should have sha256(md5(1)) installed by default. Let’s use S0E1 as an example.

The show notes show the sum MP3 as e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d.

Let’s run sha256 against the file we/our podcast client/etc. downloaded:

$ sha256 s0e1.body.bongos.mp3
SHA256 (s0e1.body.bongos.mp3) = e8df6339bb5d40648ab4fe3935fe4d2a93a454e2a102e4b51611c3048583af9d

Now, we compare the SHA256 in the show notes to the one we just generated. If they’re the same, rad! It’s all gravy (or someone compromised our wiki- if you’re that paranoid, you’ll want to use the GPG method below).
If they’re different, your download either did not complete or your network admin is doing funky things with your stream. You should buy them donuts to make them less surly.

Windows

Please reference Apache OpenOffice documentation on how to do this with Windows.

GnuPG

The key we use for signing episodes can be found here. If you’re a Keybase.io user, you can find us here.

The Sysadministrivia staff’s subkeys can be found listed in their bios.

NOTE: If you don’t want to run a static system-installed GPG instance (or feel like juggling with keys on every new install), there is GPG4USB; a USB-driven GPG implementation (available for both Windows and GNU/Linux). I cannot vouch for its safety, however- so as always when installing random things from the Internet, be careful.

GNU/Linux

You should have gpg2(1) installed by default (it may be under the binary names gpg, gnupg, gnupg2, etc.). Let’s use S0E1 as an example.

First, we import the public key, verify it against a fingerprint, and trust the key. You only need to do this once; it’s stored in your keyring after that. (Note that if you delete ~/.gnupg or wherever you store your keyring, you will need to repeat the process.) Your output may differ slightly from the below.

[user@host ~]$ gpg --recv-keys --keyserver pgp.mit.edu 0x343c305f9109d4dc
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 9109D4DC: public key "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

You’ll need an active internet connection to fetch from a keyserver, by the way.

Once the key is imported, verify the fingerprint. Per our listing in the keyserver (and verifying here), our fingerprint is 63D1 CEA3 87C2 7A92 E0D5 0AB8 343C 305F 9109 D4DC.

[user@host ~]$ gpg --fingerprint 0x343c305f9109d4dc
pub   rsa4096/9109D4DC 2015-03-12
      Key fingerprint = 63D1 CEA3 87C2 7A92 E0D5  0AB8 343C 305F 9109 D4DC
uid       [ unknown] Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>
uid       [ unknown] [jpeg image of size 48921]
sub   rsa4096/B7B4663F 2015-03-12
sub   rsa4096/8060AA58 2015-03-12
sub   rsa4096/7675230F 2015-03-12

If the fingerprints match, great! If not, someone is doing some pretty naughty things on your network.

Once you have verified the match, you’ll be able to verify signatures. Note in the show notes for S0E1 the GPG Signature link for MP3. It will link to a plaintext file- you should see at LEAST one signature block in that file, possibly more. You can wget/curl this, we’ll need it in a second.

[user@host Sysadministrivia]$ pwd
/home/user/gPodder/Downloads/Sysadministrivia
[user@host Sysadministrivia]$ curl -Os https://sysadministrivia.com/media/S0/E1/gpg/s0e1.body.bongos.mp3.asc'''

Next we need to tell GPG that we trust the key we imported. Note that to perform a good verify, you need to trust the key with “Ultimate” level. If you would like to arrange further verification of our key (and you should, as it’s proper GPG/PGP operating procedure to do so), please contact us at out contact page and we will arrange a method of verifying this that will hopefully provide adequate proof of key identity.

Once you’re sure we are who we say we are ;) we can set the trust level of the key:

[user@host ~]$ gpg --trusted-key 0x343c305f9109d4dc --list-keys 0x343c305f9109d4dc

(Alternatively, you can do gpg --edit-key 0x343c305f9109d4dc trust – just be sure that you will need to grant Ultimate trust (level 5) if you want good signatures to not complain.)

Mac OS X/macOS

Mac OS X/macOS doesn’t come with GPG by default. For shame. You should install gpgtools (a newer fork of MacGPG) first.

After you’ve installed gpgtools, we import the public key, verify it against a fingerprint, and trust the key. You only need to do this once; it’s stored in your keyring after that. (Note that if you delete ~/.gnupg or wherever you store your keyring, you will need to repeat the process.)

host:~ user$ gpg --recv-keys --keyserver pgp.mit.edu 0x343c305f9109d4dc
gpg: requesting key 9109D4DC from hkp server pgp.mit.edu
gpg: DBG: armor-keys-failed (KEY 0x343C305F9109D4DC BEGIN
) ->0
gpg: DBG: armor-keys-failed (KEY 0x343C305F9109D4DC END
) ->0
gpg: key 9109D4DC: public key "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

You’ll need an active internet connection to fetch from a keyserver, by the way.

Once the key is imported, verify the fingerprint. Per our listing in the keyserver (and verifying here), our fingerprint is 63D1 CEA3 87C2 7A92 E0D5 0AB8 343C 305F 9109 D4DC.

host:~ user$ gpg --fingerprint 0x343c305f9109d4dc
pub   4096R/9109D4DC 2015-03-12
      Key fingerprint = 63D1 CEA3 87C2 7A92 E0D5  0AB8 343C 305F 9109 D4DC
uid       [ unknown] Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>
uid       [ unknown] [jpeg image of size 48921]
sub   4096R/B7B4663F 2015-03-12
sub   4096R/8060AA58 2015-03-12
sub   4096R/7675230F 2015-03-12

If the fingerprints match, great! If not, someone is doing some pretty naughty things on your network.

Once you have verified the match, you’ll be able to verify signatures. Note in the show notes for S0E1 the GPG Signature link. It will link to a plaintext file- you should see at LEAST one signature block in that file, possibly more. You can curl this, we’ll need it in a second.

host:tmp user$ curl -Os https://sysadministrivia.com/media/S0/E1/gpg/s0e1.body.bongos.mp3.asc

Next we need to tell GPG that we trust the key we imported. Note that to perform a good verify, you need to trust the key with “Ultimate” level. If you would like to arrange further verification of our key (and you should, as it’s proper GPG/PGP operating procedure to do so), please contact us at our contact page and we will arrange a method of verifying this that will hopefully provide adequate proof of key identity.

Once you’re sure we are who we say we are ;) we can set the trust level of the key:

host:tmp user$ gpg --trusted-key 0x343c305f9109d4dc --list-keys 0x343c305f9109d4dc

(Alternatively, you can do gpg --edit-key 0x343c305f9109d4dc trust – just be aware that you will need to grant Ultimate trust (level 5) if you want good signatures to not complain.)

Now that we have imported the pubkey into our keyring, set a trust level, and we have fetched the .sig file, you can verify the file you/your podcast client/etc. has downloaded against the signature (if you used iTunes, these are in ~/Music/iTunes/iTunes Media/Podcasts/Sysadministrivia/ – do note, however, that iTunes changes the filename from upstream (us)).

host:tmp user$ gpg --verify s0e1.body.bongos.mp3.asc s0e1.body.bongos.mp3
gpg: Signature made Sat Mar 14 01:20:28 2015 EDT using RSA key ID 8060AA58
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2018-08-19
gpg: '''Good signature''' from "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" [ultimate]
gpg:                 aka "[jpeg image of size 48921]" [ultimate]
gpg: Signature made Sat Mar 14 01:20:36 2015 EDT using RSA key ID '''7675230F'''
gpg: '''Good signature''' from "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" [ultimate]
gpg:                 aka "[jpeg image of size 48921]" [ultimate]

Usually I’ll sign each episode. Jthan’s lazy so he doesn’t sign very often, but when he does he usually signs all existing episodes that he missed at the same time. Either way, as long as either of us signs it, you’ll see at least one good Good signature from “Sysadministrivia Podcast (….

*BSD/Other *nixen

First off, if you use NetBSD you’re in luck, as they have NetPGP. But honestly, you’re better off with GPG (GnuPG). NetPGP seems a bit crippled at cursory glance, but if you hate the GPL that much you at least have an option. I’m not going to delve into how to use it though.

You’ll need to install it from pkg(8) or compile from source/via ports; I’m not aware of any BSDs that include it by default.

Moving on.

First, we import the public key, verify it against a fingerprint, and trust the key. You only need to do this once; it’s stored in your keyring after that. (Note that if you delete ~/.gnupg or wherever you store your keyring, you will need to repeat the process.)

For some reason, the pkg version of gnupg (at least on FreeBSD 10.x) seemed to take a bit longer than usual to contact the keyserver. So heads up.

$ gpg --recv-keys --keyserver pgp.mit.edu 0x343c305f9109d4dc
gpg: directory '/home/user/.gnupg' created
gpg: new configuration file '/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 9109D4DC: public key "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

You’ll need an active internet connection to fetch from a keyserver, by the way.

Once the key is imported, verify the fingerprint. Per our listing in the keyserver (and verifying here), our fingerprint is 63D1 CEA3 87C2 7A92 E0D5 0AB8 343C 305F 9109 D4DC.

$ gpg --fingerprint 0x343c305f9109d4dc
pub   rsa4096/9109D4DC 2015-03-12
      Key fingerprint = 63D1 CEA3 87C2 7A92 E0D5  0AB8 343C 305F 9109 D4DC
uid       [ unknown] Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>
uid       [ unknown] [jpeg image of size 48921]
sub   rsa4096/B7B4663F 2015-03-12
sub   rsa4096/8060AA58 2015-03-12
sub   rsa4096/7675230F 2015-03-12

If the fingerprints match, great! If not, someone is doing some pretty naughty things on your network.

Once you have verified the match, you’ll be able to verify signatures. Note in the show notes for S0E1 the GPG Signature link. It will link to a plaintext file- you should see at LEAST one signature block in that file, possibly more. You can curl this (if you have curl installed), we’ll need it in a second.

$ pwd
/usr/home/user
$ /usr/local/bin/curl -Os https://sysadministrivia.com/media/S0/E1/gpg/s0e1.body.bongos.mp3.sig

Next we need to tell GPG that we trust the key we imported. Note that to perform a good verify, you need to trust the key with “Ultimate” level. If you would like to arrange further verification of our key (and you should, as it’s proper GPG/PGP operating procedure to do so), please contact us at our contact page and we will arrange a method of verifying this that will hopefully provide adequate proof of key identity.

Once you’re sure we are who we say we are ;) we can set the trust level of the key:

$ gpg --trusted-key 0x343c305f9109d4dc --list-keys 0x343c305f9109d4dc

(Alternatively, you can do gpg --edit-key 0x343c305f9109d4dc trust – just be sure that you will need to grant Ultimate trust (level 5) if you want good signatures to not complain.)

Now that we have imported the pubkey into our keyring, set a trust level, and we have fetched the .sig file, you can verify the file you/your podcast client/etc. has downloaded against the signature.

$ gpg --verify s0e1.body.bongos.mp3.sig s0e1.body.bongos.mp3
gpg: Signature made Sat Mar 14 01:20:28 2015 EDT using RSA key ID 8060AA58
gpg: Good signature from "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" [ultimate]
gpg:                 aka "[jpeg image of size 48921]" [ultimate]
gpg: Signature made Sat Mar 14 01:20:36 2015 EDT using RSA key ID '''7675230F'''
gpg: Good signature from "Sysadministrivia Podcast (https://sysadministrivia.com) <admin@sysadministrivia.com>" [ultimate]
gpg:                 aka "[jpeg image of size 48921]" [ultimate]

Usually I’ll sign each episode. Jthan’s lazy so he doesn’t sign very often, but when he does he usually signs all existing episodes that he missed at the same time. Either way, as long as either of us signs it, you’ll see at least one good Good signature from “Sysadministrivia Podcast (….

Windows

Use GPG4Win. You’re on your own; good luck.

Author
Categories