Verifying Matterhorn Releases

What we sign

All official releases of code distributed by the Opencast Matterhorn Project are signed by the release manager for the release. PGP signatures and MD5 hashes are available along with the distribution.
You should download the PGP signatures and MD5 hashes directly from the Matterhorn download page. This helps ensure the integrity of the signature files.

Checking Signatures

The following example details how signature interaction works. The following example assumes that you have downloaded Matterhorn-VM-0.5.zip (the release) and Matterhorn-VM-0.5.zip.asc (the detached signature).
This example uses The GNU Privacy Guard. Any OpenPGP-compliant program should work successfully.
First, we will check the detached signature (Matterhorn-VM-0.5.zip.asc) against the release (Matterhorn-VM-0.5.zip).

$ gpg Matterhorn-VM-0.5.zip.asc

       gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID 9C65E585
       gpg: Can't check signature: public key not found

If you see this error, it means you do not have the Release Manager's public key.  One popular server is pgpkeys.mit.edu (which has a web interface). The public key servers are linked together, so you should be able to connect to any key server.

$ gpg --keyserver pgpkeys.mit.edu --recv-key 9C65E585
      gpg: requesting key 9C65E585 from hkp server pgpkeys.mit.edu
      gpg: key 9C65E585: "Manjit Trehan (Key Signing) <mtrehan@iupui.edu>" Imported
      gpg: Total number processed: 1
      gpg:              unchanged: 1

In this example, you have now received a public key for an entity known as "Manjit Trehan (Key Signing) <mtrehan@iupui.edu>" However, you have no way of verifying this key was created by the person known as Sander Striker. But, let's try to verify the release signature again.

$ gpg httpd-2.0.44.tar.gz.asc

       gpg: Good signature from "Manjit Trehan (Key Signing) <mtrehan@iupui.edu>"

At this point, the signature is good, but we don't trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key 9C65E585 was created by the real Manjit Trehan.
Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key.

Validating Authenticity of a Key

You may download public keys for the Matterhorn Team from our website or retrieve them off the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Opencast Matterhorn Project.

The crucial step to validation is to confirm the key fingerprint of the public key.

$ gpg --fingerprint 9C65E585

pub   4096R/9C65E585 2009-09-25
      Key fingerprint = 1FCB 5774 71BF 1AB0 16C8  F53D 1FB7 9B59 9C65 E585
uid                  Manjit Trehan (Key Signing) <mtrehan@iupui.edu>
sub   4096R/8E356680 2009-09-25

A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.