(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Verifying a BIND source tarball using cryptographic signatures

Posted April 12, 2017 by shaun
[permalink]

When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum and apt handle this automatically, but it must be done manually when you download software yourself.

ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg installed, you can use the signature to validate your downloaded BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.

Download the BIND source

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.29/bind-9.11.29.tar.gz
  `bind-9.11.29.tar.gz' saved [8297010/8297010]

Download the associated signature file

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.29/bind-9.11.29.tar.gz.sha256.asc
  `bind-9.11.29.tar.gz.sha256.asc' saved [833/833]

Download ISC's PGP signing key

This is the PGP public key ISC will use for signing in 2021 and 2022. Prior and future keys will appear here. 

[root@host /home/files]# wget https://ftp.isc.org/isc/pgpkeys/codesign2021.txt
  `codesign2021.txt' saved [34304/34304]

Import ISC's key to your gpg keyring

[root@host /home/files]# gpg --import codesign2021.txt
  gpg: key 723E4012: public key "Internet Systems Consortium, Inc. 
       (Signing key, 2021-2022) <codesign@isc.org>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)
  gpg: no ultimately trusted keys found

Verify the tarball using the signature file

[root@host /home/files]# gpg --verify bind-9.11.29.tar.gz.sha256.asc bind-9.11.29.tar.gz
  gpg: Signature made Tue Mar 16 14:05:10 2021 CDT using RSA key ID 5970811F
  gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2021-2022) <codesign@isc.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 7E1C 91AC 8030 A5A5 9D1E  FAB9 750F 3C87 723E 4012
       Subkey fingerprint: 2455 774D 42FD FE6B 9C38  3EB8 FE10 02BC 5970 811F

The warning message displayed here can be safely ignored; it just means that you haven't personally marked ISC's key as trusted in your keyring. What you're looking for is the "Good signature" output, which is present here, indicating that the file you downloaded matches the one on the remote site.

Updated Mar 18, 2021 to reference BIND version 9.11.29.


Recent articles

📰 curl 7.74.0 regression breaks Smokeping probes

📰 chrony improves client stats output for easier abuse detection

📰 Resolving PHP error "Fatal error: strict_types declaration must not use block mode"

📰 Resolving "Not using downloaded repomd.xml because it is older than what we have" yum error

📰 Resolving subversion error E125001: Couldn't determine absolute path of '.'

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 160.1.30.97: Multi-protocol scanning activity from Amazon GovCloud

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

▲ Back to top | Permalink to this page