* Richard B. Tilley (Brad) (rtilley@vt.edu) wrote:
> Hello,
>
> What is the proper way to verify the kernel source before compiling?
> There have been too many trojans of late in open source and free
> software and I, for one, am getting paranoid.
>
> Thank you,
> Brad
>
For each kernel and patch on kernel.org there is a corresponding .sign
file. This is a detached signature file that can be used to verify
that the kernel came from the kernel maintainers and that it has not
been modified since signing. The process for verifying these
signatures is quite easy.
On a valid kernel you will see something like this:
.::jasonc@panacea::.~> gpg --verify linux-2.4.18.tar.gz.sign linux-2.4.18.tar.gz
gpg: Signature made Mon Feb 25 14:42:44 2002 EST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>"
On a bad signature:
.::jasonc@panacea::.~> gpg --verify linux-2.4.18.tar.gz.sign linux-2.4.18.tar.gz
gpg: Signature made Mon Feb 25 14:42:44 2002 EST using DSA key ID 517D0F0E
gpg: BAD signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>"
-- Jason Cook | GnuPG Fingerprint: D531 F4F4 BDBF 41D1 514D GNU/Linux Engineering Lead | F930 FD03 262E 5120 BEDD evolServ Technology | Home page: http://reinit.orgSMB sucks! *Really* *really* sucks --Jeremy Allison
This archive was generated by hypermail 2b29 : Sat Nov 30 2002 - 22:00:17 EST