Step 2: Download BIND 9, the Signature File, and ISC’s OpenPGP key

1. Download The BIND 9 zip file

   Go to isc.org/downloads/. Expand the BIND 9 Section and click the Download button for the current stable version of BIND 9. In the resulting popup window, click the download link for the Windows version, BIND9.16.1.x64.zip – win64-bit at the time of writing. Save the file in a convenient location such as:

   C:\Downloads\BIND9\BIND9.16.1.x64.zip

2. Get the ASC signature file

   While you’re there, get the ASC signature file. Select a signature file and click its link—I’m using the SHA512 signature in this example. Save the file as:

   C:\Downloads\BIND9\BIND9.16.1.x64.zip.sha512.asc

   Press Enter.

3. Get ISC’s OpenPGP key

   Go to the OpenPGP Key page: https://isc.org/pgpkey/. Clicking the Current ISC Code Signing Key 2019 – 2020 (codesign@isc.org) link, the current code signing key at the time of writing, opens a page displaying the code signing key (public key). Copy the entire PGP PUBLIC KEY BLOCK and paste it into a new text file and save it as:

   C:\Downloads\BIND9\ISC_Code_Signing_Key_2019-2020.key

Step 3: Verify the authenticity and integrity of the BIND Zip File with GnuPG

You’d be forgiven for concluding that the process of verifying the authenticity and integrity of a digitally signed file is more akin to a pyramid scheme than a web of trust (I kid). Maybe we could borrow from the X-Files:

I want to believe—but I’m not sure how this stuff works.

Trust No 1—except you kind of have to otherwise this web of trust thing doesn’t work.

The Truth is Out There—yes, but where?

In other words, the verification process can be a bit mind boggling. Deep breath. Here goes…

1. Import the ISC public key to the GpuPG key chain

   1. Change to your BIND9 download directory

      At the command prompt, type:

      C:\>cd C:\Downloads\BIND9

      Press Enter.

   2. Import the ISC public key

      At the command prompt, type:

      C:\>gpg --import ISC_Code_Signing_Key_2019-2020.key

      Press Enter.

      GPG responds with something like this:

      C:\Downloads\BIND9>gpg --import ISC_Code_Signing_Key_2019-2020.key
      gpg: key 74BB6B9A4CBB3D38: 3 signatures not checked due to missing keys
      gpg: key 74BB6B9A4CBB3D38: public key "Internet Systems Consortium, Inc.
      (Signing key, 2019-2020) <codesign@isc.org>" imported
      gpg: Total number processed: 1
      gpg:               imported: 1
      gpg: no ultimately trusted keys found

   3. Signatures not checked due to missing keys

      I was curious about why three signatures were not checked due to missing keys. Here’s the scoop: The ISC 2019-2020 code signing key has been signed with three public keys whose owners certify the ISC public key to be trustworthy—part of the web of trust. Had I found and imported these three keys into my GnuPG public key ring before importing ISC’s 2019-2020 public key, the following message would not have shown up:

      gpg: key 74BB6B9A4CBB3D38: 3 signatures not checked due to missing keys

      If you want to give this try, you’ll need to get the signing keys from a public key server and import them Here’s how:

      1. Get the fingerprint from the ISC public key file:

         At the command prompt, with C:\Downloads\BIND as the current folder, type:

         C:\>gpg ISC_Code_Signing_Key_2019-2020.key

         Press Enter.

         GnuPG responds with, amongst other things, the public key fingerprint:

         AE3FAC796711EC59FC007AA474BB6B9A4CBB3D38

         

      2. Get the missing keys

         • Go to keys.gnupg.net
         • Click Advanced Options

         • Check the OpenPGP Fingerprint check box, and select theGet verbose index of matching keys radio button

         • Enter the public key fingerprint, preceded by 0x, into the search box:

           0xAE3FAC796711EC59FC007AA474BB6B9A4CBB3D38

           You can also use the key ID which is the lower 16 Hex digits of the fingerprint:

           0x74BB6B9A4CBB3D38

         • Click the Search Key button

           

           To display the keys used to sign the ISC public key, click their links (eight digit hex number) under the keyID heading. Save each public key as a text file and import them into your GnuPG key ring.

           

           After importing the ISC public key, GnuPG will no longer report that “3 signatures not checked due to missing keys.”

           Note that there is a fourth public key listed, but adding it to you public key ring seems to make no difference—another mystery.

   4. No ultimately trusted keys found

      What? I’ll defer until we get to the actual Authentication bit in Step 2 below.

2. Authenticate the file

   At the command prompt, with C:\Downloads\BIND9 as the current path, type:

   C:\>gpg --verify BIND9.16.1.x64.zip.sha512.asc BIND9.16.1.x64.zip

   Press Enter.

   GPG responds with:

   gpg: Signature made 03/13/20 04:31:31 Pacific Daylight Time
   gpg:                using RSA key 156890685EA0DF6A1371EF2017CC5DB1F0088407
   gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2019-2020) <codesign@isc.org>" [unknown]
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: AE3F AC79 6711 EC59 FC00  7AA4 74BB 6B9A 4CBB 3D38
        Subkey fingerprint: 1568 9068 5EA0 DF6A 1371  EF20 17CC 5DB1 F008 8407

   While the line:

   Good signature from "Internet Systems Consortium, Inc. (Signing key, 2019-2020) <codesign@isc.org>" [unknown]

   makes me feel all warm and fuzzy, except for the [unknown] part, the good vibes quickly evaporate:

   gpg: WARNING: This key is not certified with a trusted signature!
        There is no indication that the signature belongs to the owner.

   Well, that’s a bit disconcerting. Here’s what ISC has this to say about it:

   “If you are confident that you have the correct codesign@isc.org public key, the important part to check for is the part saying that a good signature was made using that key.”

   See the complete statement here: kb.isc.org/docs/aa-01225

Resources:

• Pretty Good Privacy:
  wikipedia.org/wiki/Pretty_Good_Privacy
• Quick’n easy gpg cheatsheet:
  irtfweb.ifa.hawaii.edu/~lockhart/gpg/
• How to verify an imported GPG key:
  serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key
• Public key fingerprint:
  wikipedia.org/wiki/Public_key_fingerprint
• Digital signature:
  wikipedia.org/wiki/Digital_signature
• Web of trust:
  wikipedia.org/wiki/Web_of_trust
• Building your web of trust:
  gnupg.org/gph/en/manual/x547.html

No comments yet…