-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexamples.html
More file actions
141 lines (128 loc) · 6.11 KB
/
examples.html
File metadata and controls
141 lines (128 loc) · 6.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
<title>Evil 32: Check Your GPG Fingerprints</title>
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Lato:300,400,400italic" type="text/css">
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" type='text/css'>
<link rel="stylesheet" href="/evil32_examples.css" type='text/css'>
<link rel="icon" type="image/png" href="/favicon.png" />
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="//oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="//oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="container">
<h1>Evil 32: Real World Example</h1>
<div class="row">
<div class="col-xs-12 col-md-12 col-sm-12">
<h3>Verifying Signatures for Puppet Labs Packages</h3>
<p>The example below walks you through the steps supplied in <a href="http://docs.puppetlabs.com/references/3.6.2/man/agent.html" target="_blank">Puppet's docs</a> for verifying the signatures on Puppet Packages. In this example the network has not been compromised.</p>
<p><u>Note: Puppet's docs have been updated to use their full GPG fingerprint since this example was written.</u></p>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-6">
<h3>Expected</h3>
<ul><li>Download tarball and signature from puppet labs who has not tampered with the files</li></ul>
<pre>
<b>$</b> wget https://downloads.puppetlabs.com/puppet/puppet-3.6.2.tar.gz
2014-07-12 (6.57 MB/s) - ‘puppet-3.6.2.tar.gz’ saved
</pre>
<pre>
<b>$</b> wget https://downloads.puppetlabs.com/puppet/puppet-3.6.2.tar.gz.asc
2014-07-12 (29.4 MB/s) - ‘puppet-3.6.2.tar.gz.asc’ saved
</pre>
</div>
<div class="col-xs-6 col-md-6 col-sm-6">
<h3>Compromised</h3>
<ul><li>Download tarball and signature from the evil mirror who has tampered with the files</li></ul>
<pre>
<b>$</b> wget http://mirror.evil32.com/puppet/puppet-3.6.2.tar.gz
2014-07-12 (417 MB/s) - ‘puppet-3.6.2.tar.gz’ saved
</pre>
<pre>
<b>$</b> wget http://mirror.evil32.com/puppet/puppet-3.6.2.tar.gz.asc
2014-07-12 (73.4 MB/s) - ‘puppet-3.6.2.tar.gz.asc’ saved
</pre>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>Receive key as instructed to in Puppet's documenation</li></ul>
<pre>
<b>$</b> gpg --keyserver pgp.mit.edu --recv-key 4BD6EC30
<b>gpg:</b> requesting key 4BD6EC30 from hkp server pgp.mit.edu
<b>gpg:</b> key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
<b>gpg:</b> no ultimately trusted keys found
<b>gpg:</b> Total number processed: 1
<b>gpg:</b> imported: 1 (RSA: 1)
</pre>
</div>
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>Receive key as instructed to in Puppet's documenation</li></ul>
<pre>
<b>$</b> gpg --keyserver pgp.mit.edu --recv-key 4BD6EC30
<b>gpg:</b> requesting key 4BD6EC30 from hkp server pgp.mit.edu
<b>gpg:</b> key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
<b>gpg:</b> key 4BD6EC30: public key "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>" imported
<b>gpg:</b> no ultimately trusted keys found
<b>gpg:</b> Total number processed: 2
<b>gpg:</b> imported: 2 (RSA: 2)
</pre>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>List keys and check fingerprint is present</li></ul>
<pre>
<b>$</b> gpg --list-key --fingerprint 4bd6ec30
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
</pre>
</div>
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>List keys and check fingerprint is present</li></ul>
<pre>
<b>$</b> gpg --list-key --fingerprint 4bd6ec30
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08]
Key fingerprint = 22A6 C997 D0F3 2A3D 984B BE13 0F65 842D 4BD6 EC30
uid Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>
</pre>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>Verify that the signature is good</li></ul>
<pre>
<b>$</b> gpg --verify puppet-3.6.2.tar.gz.asc puppet-3.6.2.tar.gz
<b>gpg:</b> Signature made Tue 10 Jun 2014 12:44:55 PM EDT using RSA key ID 4BD6EC30
<b>gpg:</b> Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>"
<b>gpg:</b> WARNING: This key is not certified with a trusted signature!
<b>gpg:</b> There is no indication that the signature belongs to the owner.
Primary key fingerprint: 47B3 20EB 4C7C 375A A9DA E1A0 1054 B7A2 4BD6 EC30
</pre>
</div>
<div class="col-xs-6 col-md-6 col-sm-6">
<ul><li>Verify that the signature is good</li></ul>
<pre>
<b>$</b> gpg --verify puppet-3.6.2.tar.gz.asc puppet-3.6.2.tar.gz
<b>gpg:</b> Signature made Sat 12 Jul 2014 11:44:22 PM EDT using RSA key ID 4BD6EC30
<b>gpg:</b> Good signature from "Puppet Labs Release Key (Puppet Labs Release Key) <info@puppetlabs.com>"
<b>gpg:</b> WARNING: This key is not certified with a trusted signature!
<b>gpg:</b> There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22A6 C997 D0F3 2A3D 984B BE13 0F65 842D 4BD6 EC30
</pre>
</div>
</div>
</div>
</body>
</html>