How to verify the PGP signature of Sendmail
IMPORTANT NOTICE: If you download the sendmail distribution
you MUST verify the PGP signature.
Do NOT use sendmail without verifying the integrity
of the source code.
The PGP signature is stored in a file ending with
.sig.
First you have to get the current PGP signing keys,
e.g., from your favorite PGP keyserver or from
ftp.sendmail.org
or one of its
mirrors.
Please check the
PGP/
GPG documentation about the
web of trust.
-
If the signature files has the ending
.tar.gz.sig (sendmail 8.12.7 and later)
then the signature applies to the
.tar.gz
file.
To verify the signature you use
- for gpg:
gpg --verify sendmail.VERSION.tar.gz.sig sendmail.VERSION.tar.gz
- for pgp:
pgp sendmail.VERSION.tar.gz.sig sendmail.VERSION.tar.gz
Note: instead of .gz it could also be .Z,
just consistently replace all occurences.
-
If the signature files has the ending
.tar.sig
then the signature applies to the
.tar
file. To verify the signature you use
- for gpg:
- if you have tar.gz:
gunzip -c sendmail.VERSION.tar.gz | gpg --verify sendmail.VERSION.tar.sig -
- if you have tar.Z:
zcat sendmail.VERSION.tar.Z | gpg --verify sendmail.VERSION.tar.sig -
- for pgp:
- if you have tar.gz:
gunzip sendmail.VERSION.tar.gz
pgp sendmail.VERSION.tar.sig sendmail.VERSION.tar
- if you have tar.Z:
uncompress sendmail.VERSION.tar.Z
pgp sendmail.VERSION.tar.sig sendmail.VERSION.tar
Notes:
-
if you use PGP5 then you have to substitute
pgp with pgpv.
-
Another way to verify the integrity of the code is available by checking
the
MD5 sums
if you can obtain them from a trusted source,
e.g., a PGP signed mail.
