How to verify the integrity of a linux tarball?

Question

The tarballs of the Linux releases from https://www.kernel.org/ can be verified with .sign files. There's no information how to verify the tarball on the website or in the README in the tarball.

score 3 · Answer 1 · answered Jun 08 '15 at 01:11

The following if derived from the instructions Linux kernel releases PGP signatures on the kernel.org site. Which say (in part), first (and only one time) install the public key like

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

Then you can verify signatures like

$ xz -cd linux-3.1.5.tar.xz | gpg --verify linux-3.1.5.tar.sign -

with an expected output something like

gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman
     (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

Using short key ids (8 hex digits) is dangerous. There are many duplicates in the wild, e.g. something called `Totally Legit Signing Key ` for Greg's key. The duplicate is of course false. Always use the full fingerprint `... -recv-keys "85C6 0099 3043 CE5B E21A D7F9 B034 4703 6092 693E"` — Uwe Geuder, Apr 15 '19 at 11:42

How to verify the integrity of a linux tarball?

1 Answers1