Using GnuPG to verify kernel signatures
All software released via kernel.org has detached PGP signatures you can
use to verify the integrity of your downloads.
To illustrate the verification process, let's use Linux 4.6.6 release as
a walk-through example. First, use "curl" to download the release
and the corresponding signature:
$ curl -OL https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.xz
$ curl -OL https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.sign
You will notice that the signature is made against the uncompressed
version of the archive. This is done so there is only one signature
required for .gz and .xz compressed versions of the release. Start
by uncompressing the archive, using unxz in our case:
$ unxz linux-4.6.6.tar.xz
Now verify the .tar archive against the signature:
$ gpg2 --verify linux-4.6.6.tar.sign
You can combine these steps into a one-liner:
$ xz -cd linux-4.6.6.tar.xz | gpg2 --verify linux-4.6.6.tar.sign -
It's possible that you get a "No public key error":
gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E
gpg: Can't check signature: No public key
Please use the "gpg2 --locate-keys" command listed above to download
the key for Greg Kroah-Hartman and Linus Torvalds and then try again:
$ gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
$ gpg2 --verify linux-4.6.6.tar.sign
gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT
gpg: using RSA key 38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
To make the "WARNING" message go away you can indicate that you
choose to trust that key using TOFU:
$ gpg2 --tofu-policy good 38DBBDC86092693E
$ gpg2 --trust-model tofu --verify linux-4.6.6.tar.sign
gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT
gpg: using RSA key 38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman " [full]
gpg: gregkh@kernel.org: Verified 1 signature in the past 53 seconds. Encrypted
0 messages.
Note that you may have to pass "--trust-model tofu" the first time
you run the verify command, but it should not be necessary after that.
The scripted version
If you need to perform this task in an automated environment or simply
prefer a more convenient tool, you can use the following helper script
to properly download and verify Linux kernel tarballs:
Please review the script before adopting it for your needs.