This blog post is kind of back to basics. I have already clearly mentioned downloading JMeter and how to check its integrity using SHA512 algorithm in this demo. In this blog post, we are going to learn about integrity checks using PGP mechanism.
What is PGP?
PGP stands for Pretty Good Privacy. It is a popular data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP was created by Phil Zimmermann in 1991, and it is widely used for secure email communication and file encryption. The term PGP is often used interchangeably with OpenPGP, which is the open standard that PGP is based on.
How it works?
PGP is like a special secret code that you can use to protect your important messages and files. It makes sure that only the people you want to read your messages or see your files can do so. Think of it like a lock on a treasure box, only those with the key can open it. When you use PGP, you have a secret key that only you know, and you also have a key that you share with others.
This way, people can send you messages and files that only you can read, and you can also show others that the messages and files you send are really from you.
How it works?
PGP works by using a combination of public-key cryptography and symmetric-key cryptography to provide secure data communication and file encryption.
- Key pair generation: It generates two keys, a public key and a private key. You share your public key with others, while you keep your private key secret.
- Encryption: When someone wants to send you an encrypted message or file, they use your public key to encrypt it. The encrypted message or file can only be decrypted with your private key.
- Decryption: You use your private key to decrypt the encrypted message or file and read its contents.
- Signing: You can also use your private key to “sign” a message or file, to prove that it came from you. Anyone can use your public key to verify the signature and confirm that the message or file was indeed sent by you.
In short, PGP enables secure communication and file storage by encrypting them and making sure only the intended recipient can access them. The process of encryption, decryption, and signing is similar to that of GPG, as both PGP and GPG are based on the OpenPGP standard.
Focus on the point four
signing part. Signing in PGP works by using your private key to create a digital signature for a message or file. The signature acts as a proof of authenticity, verifying that the message or file came from you and has not been altered.
- Hash generation: A hash of the message or file is generated, which is a unique representation of its contents.
- Signing: Your private key is used to encrypt the hash, creating a digital signature. The signature is then attached to the message or file.
- Verification: The recipient of the signed message or file can use your public key to verify the signature by generating a new hash from the received message or file, and comparing it to the decrypted signature.
- Validation: If the generated hash and decrypted signature match, it means the message or file is authentic and has not been altered, and the signature is considered valid.
In short, signing in PGP provides a way to verify the authenticity of a message or file by creating a digital signature with your private key that can be verified by others using your public key.
JMeter GPG Keys
Now, we have equipped ourselves with the basic knowledge about GPG and how it works. Let us see the GPG keys for JMeter.
- Head to https://jmeter.apache.org/download_jmeter.cgi
- Click on the
KEYSlink to view the official GPG keys.
The above key link will list out PGP keys of various developers. You can also see their email ID. There is no need to email them unless there is a need.
You can also see their public key block and the PGP version.
Steps to check the integrity
The following are the prerequisites which are required to verify the integrity of any file, in this case JMeter.
- Download JMeter from the downloads page
- Import the official JMeter keys
In this example, I have used my Linux system to demonstrate.
Install gpg using
sudo apt install gpg
Once it is installed, verify the installation using
The next step is to download the JMeter file. Issue
wget https://dlcdn.apache.org//jmeter/binaries/apache-jmeter-5.5.tgz in the terminal which will download JMeter 5.5 in the current directory.
To import the PGP keys, issue the below command.
wget https://downloads.apache.org/jmeter/KEYS -O - | gpg --import -
Once the keys are imported, the next step is to download the PGP file from JMeter downloads page as shown below.
Or you can use the below command.
To verify the JMeter PGP signature, cat it out.
It is time to verify the integrity using PGP. Issue the below command to validate.
gpg --verify apache-jmeter-5.5.tgz.asc apache-jmeter-5.5.tgz
You will see the below output stating that the key is not certified with a trusted signature.
That is fine. Let us fix it. All you need is to edit the key and trust them. To edit the key, issue the below command.
gpg --edit-key <key_you_want_to_trust>
In the https://downloads.apache.org/jmeter/KEYS, grab one of the keys from the trusted developers and add theirs into the above command.
gpg --edit-key 0612B399
0612B399 key belongs to Milamber. Hit enter. You have to choose the developer who actually signed and from a trusted source. You will get the below options.
trust and hit enter. Then, select the appropriate options. To complete trust, enter
5, followed by
y and then hit enter.
quit to exit out of the options.
Now, if you verify the integrity again, it will display the below details. The output must show
Good signature and the Primay key fingerprint.
It is vital to check the integrity in your CI/CD pipeline either using SHA512 sum or PGP for any software, not just JMeter. Always download from the trusted source and verify the primary key twice. Otherwise, rogue actors will exploit the system by installing back doors, and more.