(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Verifying a BIND source tarball using cryptographic signatures

Posted April 12, 2017 by shaun
[permalink]

When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum and apt handle this automatically, but it must be done manually when you download software yourself.

ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg installed, you can use the signature to validate your downloaded BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.

Download the BIND source

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.20/bind-9.11.20.tar.gz
  `bind-9.11.20.tar.gz' saved [8244703/8244703]

Download the associated signature file

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.20/bind-9.11.20.tar.gz.sha256.asc
  `bind-9.11.20.tar.gz.sha256.asc' saved [833/833]

Download ISC's PGP signing key

This is the PGP public key ISC will use for signing in 2019 and 2020. Prior and future keys will appear here. 

[root@host /home/files]# wget https://ftp.isc.org/isc/pgpkeys/codesign2019.txt
  `codesign2019.txt' saved [16154/16154]

Import ISC's key to your gpg keyring

[root@host /home/files]# gpg --import codesign2019.txt
  gpg: key 4CBB3D38: public key "Internet Systems Consortium, Inc. 
       (Signing key, 2019-2020) <codesign@isc.org>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)
  gpg: no ultimately trusted keys found

Verify the tarball using the signature file

[root@host /home/files]# gpg --verify bind-9.11.20.tar.gz.sha256.asc bind-9.11.20.tar.gz
  gpg: Signature made Mon Jun 15 17:37:03 2020 CDT using RSA key ID 5DACE918
  gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2019-2020) <codesign@isc.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: AE3F AC79 6711 EC59 FC00  7AA4 74BB 6B9A 4CBB 3D38
       Subkey fingerprint: 95CE DA25 6B1C A0A1 5F30  2FB5 9521 A7ED 5DAC E918

The warning message displayed here can be safely ignored; it just means that you haven't personally marked ISC's key as trusted in your keyring. What you're looking for is the "Good signature" output, which is present here, indicating that the file you downloaded matches the one on the remote site.

Updated Jun 17, 2020 to reference BIND version 9.11.20.


Recent articles

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

▲ Back to top | Permalink to this page