* Richard B. Tilley (Brad) (rtilley@vt.edu) wrote:
> Hello,
>=20
> What is the proper way to verify the kernel source before compiling?
> There have been too many trojans of late in open source and free
> software and I, for one, am getting paranoid.
>=20
> Thank you,
> Brad
>=20
For each kernel and patch on kernel.org there is a corresponding .sign
file. This is a detached signature file that can be used to verify
that the kernel came from the kernel maintainers and that it has not
been modified since signing. The process for verifying these
signatures is quite easy.
On a valid kernel you will see something like this:
=2E::jasonc@panacea::.~> gpg --verify linux-2.4.18.tar.gz.sign linux-2.4.18=
.tar.gz
gpg: Signature made Mon Feb 25 14:42:44 2002 EST using DSA key ID 517D0F0E
gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@=
kernel.org>"
On a bad signature:
=2E::jasonc@panacea::.~> gpg --verify linux-2.4.18.tar.gz.sign linux-2.4.18=
.tar.gz
gpg: Signature made Mon Feb 25 14:42:44 2002 EST using DSA key ID 517D0F0E
gpg: BAD signature from "Linux Kernel Archives Verification Key <ftpadmin@k=
ernel.org>"
--=20
Jason Cook | GnuPG Fingerprint: D531 F4F4 BDBF 41D1 514D
GNU/Linux Engineering Lead | F930 FD03 262E 5120 BEDD
evolServ Technology | Home page: http://reinit.org
SMB sucks! *Really* *really* sucks=20
--Jeremy Allison
--x4pBfXISqBoDm8sr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3k9uAACgkQ/QMmLlEgvt03+QCcCAcRoOdBO3BACtUWE4SojYO4
bycAoIL2h8ZPnI1az4KTbhU94HS0yeuR
=rT9I
-----END PGP SIGNATURE-----
--x4pBfXISqBoDm8sr--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/