The Software Signature Page

The goals of this page are to encourage software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. Software listed here is believed to be unverifiable. That is, no PGP signature, MD5 hash or other similar check has been published by the software maintainer(s) for the software listed. While not foolproof, signatures can help guard against software tampering and can provide end users with some level of assurance that the software they have received is exactly what the software maintainer(s) expect them to have. If you are the maintainer for a critical piece of software that is listed here and feel that the listing here is in error or if you are an end user and you want a particular piece of software considered for listing here, please send an email, preferably PGP signed, to jtk@northwestern.edu.

Note: The editor of this page may elect not to list certain software here for a number of reasons. Some software maintainers may also choose never to pubish verifiable signatures for their software for valid reasons. In either scenario, these cases should not be construed to mean that any piece of software is inferior or preferred compared to another. This page says nothing about the quality of any software nor the integrity of any software maintainer.

Unverifiable Software
Info for Software Maintainers
Info for Software Users
Software Sig Page End Notes

Unverifiable Software

Adobe Acrobat Reader (as of 2004-01-29)
Amanda (as of 2004-01-22)
Apple Software (as of 2004-01-29)
CDex (as of 2004-01-25)
cflowd (as of 2004-01-22)
ettercap (as of 2004-01-25)
Flex (as of 2004-01-21)
gPhoto (as of 2004-01-25)
IP Filter (as of 2004-01-22)
jabberd (as of 2004-01-25)
Microsoft Software (as of 2004-01-29)
Nagios (as of 2004-01-25)
ntop (as of 2007-05-18)
OpenCA (as of 2004-01-22)
RANCID (as of 2004-01-25)
tar (as of 2004-01-22)
Tcl/Tk (as of 2004-01-31)
UW IMAP (as of 2004-01-22)
Vim (as of 2004-01-22)
Zebra (as of 2004-01-21)

Info for Software Maintainers

The first rule for creating a reliable signature is to ensure the software being signed is all it should be, no more and no less. Development on a single-user machine with no listening network processes and used for no other applications (e.g. web browsing, instant messaging, email) is preferred. MD5 signatures should be generated based on the software before it leaves the protected master source. MD5 signatures should be published on a web page, mailing list and in a separate file along with the software. PGP signing keys should be signed by others far and wide. The private key should be carefully guarded and not stored anywhere where it may be easily stolen by intruders. The signing key ID should be published on the web page, mailing list and multiple public keyservers. The PGP signature and signing public key should be distributed along with the software and in the software documentation users should be encouraged to verify the software before installation and use.

Info for Software Users

Software maintainers may publish an MD5 or related hash signature, PGP signature or any combination of signatures. Some maintainers publish other signatures, but by far an MD5 hash and PGP signature are the most common. To verify an MD5 or similar signature, you must have a MD5 utility that can produce a MD5 signature for the software downloaded. Many BSD-based systems include the md5 utility, while Linux-based systems typically include the md5sum utility, but both will produce MD5 hash outputs for a file. If these utilities are not installed on your system, but you have the OpenSSL toolkit, you can check the MD5 hash of a file by running openssl md5 [ filename ]. You can also obtain MD5 source code from the CERIAS tools/unix/crypto/md5 ftp directory.

You should obtain the MD5 signature for software from a different place than you received the software from. Typically MD5 signatures for software are published on a web page or mailing list. If a piece of software can be compromised, its accompanying MD5 signature file may also be easily altered to match the changed software. This threat can be minimized when PGP signatures, which are generally much harder to forge, are properly used. Encourage your software maintainers to also make use of PGP signatures for added protection.

Software that comes with an accompanying PGP signature is the preferred method for verifying software. First, this requires a trusted system and implementation of PGP on the system doing the verification. Second, the proper public key used to sign the software must be obtained and used when validating software. Software maintainers using PGP generally publish their public PGP keys on web pages, key servers or on mailing lists. You must ensure you obtain the correct public key used to sign the software. It is preferable to verify the signing key in person and then import it into your personal key ring, but this is not always possible or practical. The signing key should be published in multiple places and you should obtain the signing key from somewhere other than where the software was obtained from. If you have a strong web of trust you may have a trusted path to the signing key, otherwise you will have to trust that the key you've obtained is the proper one. To eliminate the need to blindly trust keys, you and software maintainers should build the web of trust by signing other people's keys. One of the best ways to build the web of trust quickly is by attending or organizing key signing parties. Key signing parties often occur at various user group meetings or technical conferences. Learn about keysigning parties with V. Alex Breenen's GPG Keysigning Party HOWTO.

Some may also argue that all source code should accompany distributed software as a means to further provide verification that the software maintains its integrity. This allows end users to trust their own software tools such as compilers and linkers to build the software properly. The paranoid may not want to rely on a maintainer's compiled code to have been compiled as one would expect. If this is important to you, you may also want to encourage maintainers of software you use to include everything necessary to build the software from scratch.

Software Sig Page End Notes

Mailman began publishing a PGP signature as of version 2.1.3!
flow-tools began publishing a MD5 signature as of 2004-11-03!
ngrep began publishing a PGP signature as of version 1.43!
Quagga began publishing a PGP signature as of version 0.97.5!
BASH began publishing a PGP signature as of version 3.0!
Bison began publishing a PGP signature as of version 2.0!
GnuCash began publishing a PGP signature as of version 2.0.0!
Gawk began publishing a PGP signature as of version 3.1.4!
GNU Binutils began publishing a PGP signature as of version 2.15!
GNU emacs began publishing a PGP signature as of version 21.4a!
GNU C Library began publishing a PGP signature as of version 2.3.3!
GNU Make began publishing a PGP signature as of version 3.81!
NTP began publishing a MD5 signature as of version 4.2.2!
gzip began publishing a PGP signature as of version 1.3.9!
grep began publishing a PGP signature as of version 2.5.1!