Desarrollo y Mantenimiento de Sistemas Informáticos

4º. 1er cuatrimestre. Itinerario de Sistemas de la Información. Grado en Ingeniería Informática. ULL


GH Org   - GH Template Org   - GitHub Classroom   - Discussions   - Teams   - Campus ULL   - Students Activity   - Chat   - Google Meet

GPG Verification: Ensuring Authenticity and Integrity

GPG verification refers to the process of using GPG (GNU Privacy Guard) to verify the authenticity and integrity of a file, message, or piece of code, ensuring it was created by a trusted source and has not been tampered with.

Key Concepts of GPG Verification

  1. GPG:
    • GPG is an encryption and signing tool that uses public-key cryptography.
    • It allows users to sign files or messages using a private key, and others can verify the authenticity using the corresponding public key.
  2. Signing:
    • When a person or developer signs a file (e.g., a Git commit or an email), they generate a digital signature using their private key.
    • This signature acts as a guarantee that the file or commit came from the rightful owner of the key and has not been altered.
  3. Verification:
    • To verify the authenticity of the signed file, the recipient uses the public key of the signer.
    • If the signature matches and the file hasn’t been modified, GPG will confirm the verification as valid.

GPG Verification in Different Contexts

1. Git Commits (GPG-signed commits)

Example:

   git commit -S -m "My signed commit"

To verify:

   git log --show-signature

2. GPG-Signed Emails

3. Software Distribution (Package Signing)

To verify the file:

   gpg --verify file.sig file.tar.gz

Why GPG Verification Matters

  1. Authenticity: It ensures that the file, commit, or message is from the correct, trusted source.
  2. Integrity: It verifies that the content has not been altered or tampered with.
  3. Security: It helps protect against attacks such as man-in-the-middle attacks or supply chain attacks, where malicious actors might try to inject bad code or content.

How GPG Verification Works

  1. Key Pair:
    • GPG uses a private key to sign messages or files and a corresponding public key to verify those signatures.
  2. Signing Process:
    • The signer uses their private key to create a signature for a file or message.
    • This signature is generated based on the content of the file and the private key, making it unique to both.
  3. Verification Process:
    • The verifier uses the signer’s public key to check the signature.
    • If the signature matches the file, GPG confirms that the file is authentic and hasn’t been altered.

Example: GPG Verification of a GitHub Commit

  1. A developer signs a commit using their GPG private key.
  2. Another user pulls the repository and wants to check the commit’s authenticity.
  3. The user runs git log --show-signature and sees the commit is signed by a trusted key.
    • If the signature is valid, it proves that the commit was made by the developer, not an impersonator.

Conclusion

GPG verification is a crucial method for ensuring trust, security, and integrity in digital communications, software distribution, and version control. It gives users confidence that the content they’re receiving or working with is authentic and hasn’t been compromised.