How to verify the integrity of a linux tarball?

2k Views Asked by At

The tarballs of the Linux releases from https://www.kernel.org/ can be verified with .sign files. There's no information how to verify the tarball on the website or in the README in the tarball.

1

There are 1 best solutions below

1
On

The following if derived from the instructions Linux kernel releases PGP signatures on the kernel.org site. Which say (in part), first (and only one time) install the public key like

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

Then you can verify signatures like

$ xz -cd linux-3.1.5.tar.xz | gpg --verify linux-3.1.5.tar.sign -

with an expected output something like

gpg: Signature made Fri 09 Dec 2011 12:16:46 PM EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman
     (Linux kernel stable release signing key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E