signature=73927052209571788b6a5bdb1b992f35,The Linux Kernel Archives

Using GnuPG to verify kernel signatures

All software released via kernel.org has detached PGP signatures you can

use to verify the integrity of your downloads.

To illustrate the verification process, let's use Linux 4.6.6 release as

a walk-through example. First, use "curl" to download the release

and the corresponding signature:

$ curl -OL https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.xz

$ curl -OL https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.6.6.tar.sign

You will notice that the signature is made against the uncompressed

version of the archive. This is done so there is only one signature

required for .gz and .xz compressed versions of the release. Start

by uncompressing the archive, using unxz in our case:

$ unxz linux-4.6.6.tar.xz

Now verify the .tar archive against the signature:

$ gpg2 --verify linux-4.6.6.tar.sign

You can combine these steps into a one-liner:

$ xz -cd linux-4.6.6.tar.xz | gpg2 --verify linux-4.6.6.tar.sign -

It's possible that you get a "No public key error":

gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT using RSA key ID 38DBBDC86092693E

gpg: Can't check signature: No public key

Please use the "gpg2 --locate-keys" command listed above to download

the key for Greg Kroah-Hartman and Linus Torvalds and then try again:

$ gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org

$ gpg2 --verify linux-4.6.6.tar.sign

gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT

gpg: using RSA key 38DBBDC86092693E

gpg: Good signature from "Greg Kroah-Hartman " [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E

To make the "WARNING" message go away you can indicate that you

choose to trust that key using TOFU:

$ gpg2 --tofu-policy good 38DBBDC86092693E

$ gpg2 --trust-model tofu --verify linux-4.6.6.tar.sign

gpg: Signature made Wed 10 Aug 2016 06:55:15 AM EDT

gpg: using RSA key 38DBBDC86092693E

gpg: Good signature from "Greg Kroah-Hartman " [full]

gpg: gregkh@kernel.org: Verified 1 signature in the past 53 seconds. Encrypted

0 messages.

Note that you may have to pass "--trust-model tofu" the first time

you run the verify command, but it should not be necessary after that.

The scripted version

If you need to perform this task in an automated environment or simply

prefer a more convenient tool, you can use the following helper script

to properly download and verify Linux kernel tarballs:

Please review the script before adopting it for your needs.