安全的安装PuTTY 0.70

为什么安装一个软件要这么麻烦？

安全事件：2012年1月PuTTY后门事件
这是我（@胡争辉）亲身经历的事件，同事春节回家期间在网吧（呵呵），用XX搜索引擎（呵呵），搜索PuTTY第一个是推广广告（呵呵），下载。
安全事件：2017年8月15日xshell多版本后门事件
目前除官方最新版本1326外，国内主流下载站上的 5.0.1322、 5.0.1325均确认存在后门
后门干什么？
直接把服务器的用户名和密码偷走，然后就可以兴风作浪了

访问密钥页面获取密钥下载链接

https://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html
Master Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc
RSA, 4096-bit. Key ID: 4096R/04676F7C (long version: 4096R/AB585DC604676F7C).
Fingerprint: 440D E3B5 B7A1 CA85 B3CC 1718 AB58 5DC6 0467 6F7C
Release Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc
RSA, 2048-bit. Key ID: 2048R/B43434E4 (long version: 2048R/9DFE2648B43434E4).
Fingerprint: 0054 DDAA 8ADA 15D2 768A 6DE7 9DFE 2648 B434 34E4
Secure Contact Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc
RSA, 2048-bit. Main key ID: 2048R/8A0AF00B (long version: 2048R/C4FCAAD08A0AF00B).
Encryption subkey ID: 2048R/50C2CF5C (long version: 2048R/9EB39CC150C2CF5C).
Fingerprint: 8A26 250E 763F E359 75F3 118F C4FC AAD0 8A0A F00B
Snapshot Key
https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc
RSA, 2048-bit. Key ID: 2048R/D15F7E8A (long version: 2048R/EEF20295D15F7E8A).
Fingerprint: 0A3B 0048 FE49 9B67 A234 FEB6 EEF2 0295 D15F 7E8A
后面会需要核对这些指纹

下载密钥

下载Master Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/master-2015.asc

下载Release Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2015.asc

下载Secure Contact Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/contact-2016.asc

下载Snapshot Key

$ /usr/bin/wget https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/snapshot-2015.asc

导入密钥

导入 Master Key

$ /usr/bin/gpg --import master-2015.asc
gpg: 密钥 04676F7C：公钥“PuTTY Master Key <putty@projects.tartarus.org>”已导入
gpg: 合计被处理的数量：1
gpg:           已导入：1  (RSA: 1)
gpg: 没有找到任何绝对信任的密钥

导入 Release Key

$ /usr/bin/gpg --import release-2015.asc
gpg: 密钥 B43434E4：公钥“PuTTY Releases <putty@projects.tartarus.org>”已导入
gpg: 合计被处理的数量：1
gpg:           已导入：1  (RSA: 1)
gpg: 没有找到任何绝对信任的密钥

导入 Secure Contact Key

$ /usr/bin/gpg --import contact-2016.asc
gpg: 密钥 8A0AF00B：公钥“PuTTY Secure Contact <putty@projects.tartarus.org>”已导入
gpg: 合计被处理的数量：1
gpg:           已导入：1  (RSA: 1)
gpg: 没有找到任何绝对信任的密钥

导入 Snapshot Key

$ /usr/bin/gpg --import snapshot-2015.asc
gpg: 密钥 D15F7E8A：公钥“PuTTY Development Snapshots <putty@projects.tartarus.org>”已导入
gpg: 合计被处理的数量：1
gpg:           已导入：1  (RSA: 1)
gpg: 没有找到任何绝对信任的密钥

列出指纹

$ /usr/bin/gpg --fingerprint
pub   4096R/04676F7C 2015-08-31 [有效至：2018-08-30]
密钥指纹 = 440D E3B5 B7A1 CA85 B3CC  1718 AB58 5DC6 0467 6F7C
uid                  PuTTY Master Key <putty@projects.tartarus.org>

pub   2048R/B43434E4 2015-08-31 [有效至：2018-08-30]
密钥指纹 = 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
uid                  PuTTY Releases <putty@projects.tartarus.org>

pub   2048R/8A0AF00B 2016-02-23 [有效至：2019-02-22]
密钥指纹 = 8A26 250E 763F E359 75F3  118F C4FC AAD0 8A0A F00B
uid                  PuTTY Secure Contact <putty@projects.tartarus.org>
sub   2048R/50C2CF5C 2016-02-23 [有效至：2019-02-22]

pub   2048R/D15F7E8A 2015-08-31 [有效至：2018-08-30]
密钥指纹 = 0A3B 0048 FE49 9B67 A234  FEB6 EEF2 0295 D15F 7E8A
uid                  PuTTY Development Snapshots <putty@projects.tartarus.org>
与前面记录的指纹核对

访问下载页面获取下载链接

MSI (‘Windows Installer’)
64-bit:
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi
64-bit: (signature)
https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg
Checksum files
MD5:
https://the.earth.li/~sgtatham/putty/latest/md5sums
MD5: (signature)
https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
SHA-1:
https://the.earth.li/~sgtatham/putty/latest/sha1sums
SHA-1: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
SHA-256:
https://the.earth.li/~sgtatham/putty/latest/sha256sums
SHA-256: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
SHA-512:
https://the.earth.li/~sgtatham/putty/latest/sha512sums
SHA-512: (signature)
https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg

下载 64-bit: 程序

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi

下载 64-bit: (signature) 程序

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/w64/putty-64bit-0.70-installer.msi.gpg

较验程序文件签名

$ /usr/bin/gpg --verify putty-64bit-0.70-installer.msi.gpg putty-64bit-0.70-installer.msi
gpg: 于 2017年07月 8日 14:49:50 CST 创建的签名，使用 RSA，钥匙号 B43434E4
gpg: 完好的签名，来自于“PuTTY Releases <putty@projects.tartarus.org>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4

下载摘要文件及摘要文件签名

$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/md5sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha1sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha256sums.gpg
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums
$ /usr/bin/wget https://the.earth.li/~sgtatham/putty/latest/sha512sums.gpg

校验摘要文件的签名

$ /usr/bin/gpg --verify md5sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名，使用 RSA，钥匙号 B43434E4
gpg: 完好的签名，来自于“PuTTY Releases <putty@projects.tartarus.org>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha1sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名，使用 RSA，钥匙号 B43434E4
gpg: 完好的签名，来自于“PuTTY Releases <putty@projects.tartarus.org>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha256sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名，使用 RSA，钥匙号 B43434E4
gpg: 完好的签名，来自于“PuTTY Releases <putty@projects.tartarus.org>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4
$ /usr/bin/gpg --verify sha512sums.gpg
gpg: 于 2017年07月 8日 14:49:53 CST 创建的签名，使用 RSA，钥匙号 B43434E4
gpg: 完好的签名，来自于“PuTTY Releases <putty@projects.tartarus.org>”
gpg: 警告：这把密钥未经受信任的签名认证！
gpg:       没有证据表明这个签名属于它所声称的持有者。
主钥指纹： 0054 DDAA 8ADA 15D2 768A  6DE7 9DFE 2648 B434 34E4

校验摘要文件

$ /usr/bin/grep $(/usr/bin/md5sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') md5sums.gpg
$ /usr/bin/grep $(/usr/bin/sha1sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha1sums.gpg
$ /usr/bin/grep $(/usr/bin/sha256sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha256sums.gpg
$ /usr/bin/grep $(/usr/bin/sha512sum putty-64bit-0.70-installer.msi | /usr/bin/awk '{print $1}') sha512sums.gpg