Thursday, March 5, 2009

Verifying the integrity of nmap-4.76.tar.bz2 downloads 


1. Download the NMap Signing Key
[root@localhost gpg_test]# wget http://nmap.org/data/nmap_gpgkeys.txt
--2009-03-05 12:40:40--  http://nmap.org/data/nmap_gpgkeys.txt
Resolving nmap.org... 64.13.134.48
Connecting to nmap.org|64.13.134.48|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4975 (4.9K) [text/plain]
Saving to: `nmap_gpgkeys.txt'

100%[======================================>] 4,975       --.-K/s   in 0.1s    

2009-03-05 12:40:40 (46.2 KB/s) - `nmap_gpgkeys.txt' saved [4975/4975]

2. Import the Signing Keys using PGP 
[root@localhost gpg_test]# gpg --import nmap_gpgkeys.txt
gpg: key 6B9355D0: "Nmap Project Signing Key (http://www.insecure.org/)" not changed
gpg: key 33599B5F: "Fyodor " not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

3. Verifying the Nmap and Fyodor PGP Key Fingerprints  
[root@localhost gpg_test]# gpg --fingerprint nmap fyodor
pub   1024D/6B9355D0 2005-04-24
      Key fingerprint = 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0
uid                  Nmap Project Signing Key (http://www.insecure.org/)
sub   2048g/A50A6A94 2005-04-24

pub   1024D/33599B5F 2005-04-24
      Key fingerprint = BB61 D057 C0D7 DCEF E730  996C 1AF6 EC50 3359 9B5F
uid                  Fyodor 
sub   2048g/D3C2241C 2005-04-24

4. Verifying PGP key fingerprints (Successful)  
[root@localhost gpg_test]# gpg --verify nmap-4.76.tar.bz2.gpg.txt  nmap-4.76.tar.bz2
gpg: Signature made Fri 12 Sep 2008 05:03:59 AM EDT using DSA key ID 6B9355D0
gpg: Good signature from "Nmap Project Signing Key (http://www.insecure.org/)"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0

5. View A typical Nmap release digest file  
[root@localhost gpg_test]# cat nmap-4.76.tar.bz2.digest.txt 
nmap-4.76.tar.bz2:    MD5 = 27 8D D2 E8 49 CC 3D BB  94 7D F9 61 A1 AA FF D0
nmap-4.76.tar.bz2:   SHA1 = A711 4173 8B45 12B6 D5B3  5EF9 4258 E525 DF30 A586
nmap-4.76.tar.bz2: RMD160 = EC93 522E 05E7 233E 8950  B28A B12B 4535 5E63 C0C7
nmap-4.76.tar.bz2: SHA224 = 4DBB6532 F94D3EDE 6BF900FC 9325FAA4 ADE46765
                            0B44D56C A2B7E136
nmap-4.76.tar.bz2: SHA256 = 4E24328C A6EC97AF B2A8CAF3 12B1F111 A15CF417
                            63A5AC41 E7A633FD B217D66D
nmap-4.76.tar.bz2: SHA384 = 17B27C42 12664066 D7E32A44 8EDC7D84 04AC23A2
                            6F6AD443 BCEA9114 F9F9A422 BC32C857 AF7B300B
                            5E11EF53 47C91975
nmap-4.76.tar.bz2: SHA512 = B1E04ED7 521744C0 090E1A30 81ED524A 7B3B1287
                            2090B064 D80E325E 4C5D273F 76FAE899 B28ECDBF
                            6E300D19 203EBE1D FDE6F3CA BDEAB7E7 6FDCCBB4
                            6139167E

6. Verifying Nmap hashes using md5sum  
[root@localhost gpg_test]# md5sum nmap-4.76.tar.bz2
278dd2e849cc3dbb947df961a1aaffd0  nmap-4.76.tar.bz2

7. Verifying Nmap hashes using sha1sum  
[root@localhost gpg_test]# sha1sum nmap-4.76.tar.bz2
a71141738b4512b6d5b35ef94258e525df30a586  nmap-4.76.tar.bz2

8. Verifying Nmap hashes using gpg  
[root@localhost gpg_test]# gpg --print-md sha1 nmap-4.76.tar.bz2
nmap-4.76.tar.bz2: A711 4173 8B45 12B6 D5B3  5EF9 4258 E525 DF30 A586

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)