前へ|次へ|戻る

httpd-2.2.0.tar.gz

Where

Apache HTTP Server 2.2.0 is the best available version
Apache 2.2.0 Released
The Apache HTTP Server Project is proud to announce the release of version 2.2.0 of the Apache HTTP Server ("Apache").
This version of Apache is a major release and the start of a new stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.
http://httpd.apache.org/download.cgi
http://httpd.apache.org/download.cgi?Preferred=http%3A%2F%2Fwww.meisei-u.ac.jp%2Fmirror%2Fapache%2Fdist

取り敢えず apache(httpd) の 最新版と 思われるものを 入手 しましょう

http://httpd.apache.org/download.cgi?Preferred=http%3A%2F%2Fwww.meisei-u.ac.jp%2Fmirror%2Fapache%2Fdist
$ ls -l | sed -e 1d
-rw-------    1 mm       users     6224116  2月 26日  11:22 httpd-2.2.0.tar.gz
-rw-r--r--    1 mm       users         186  2月 26日  11:22 httpd-2.2.0.tar.gz.asc
-rw-r--r--    1 mm       users          53  2月 26日  11:22 httpd-2.2.0.tar.gz.md5

Integrity Check
Using gpg

実際に検証を行ってみよう

$ gpg --verify httpd-2.2.0.tar.gz.asc
gpg: 2005年11月29日 17時22分08秒 JSTにDSA鍵ID 42721F00で施された署名
gpg: 署名を検査できません: 公開鍵が見つかりません

あきまへん ほな

http://httpd.apache.org/dev/verification.html
 Checking Signatures                   /*  署名の検査     */

    The following example details how signature interaction works. \
In this example, \
you are already assumed to have downloaded httpd-2.0.44.tar.gz (the release) \
and httpd-2.0.44.tar.gz.asc (the detached signature).
            /* あんさん もう入手 しておりまんとして かんがえまひょう */
    This example uses The GNU Privacy Guard. \
Any OpenPGP-compliant program should work successfully.

    First, we will check the detached signature  (httpd-2.0.44.tar.gz.asc)\
 against our release (httpd-2.0.44.tar.gz).
        /* 新しく提供された ファイルの 分離署名 ちゅうもんの 検査 検証 しまひょ */
% gpg httpd-2.0.44.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Can't check signature: public key not found
   /*  署名を検査できません: 公開鍵が見つかりません    */
    We don't have the release manager's public key (DE885DD3) \
in our local system. You now need to retrieve the public key from a key server.\
 One popular server is pgpkeys.mit.edu (which has a web interface). \
The public key servers are linked together, \
so you should be able to connect to any key server.
   /*  ほな キーサーバー から 公開鍵を 入手しまひょ  */
% gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key "Sander Striker <striker@apache.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

    In this example, you have now received a public key for an entity   known \
as 'Sander Striker <striker@apache.org>' However, \
you have no way of verifying this key was created by the person known \
as Sander Striker. But, let's try to verify the release signature again.
   /*  ほな再度 分離署名 ちゅうもんの 検査 検証 しまひょ */
% gpg httpd-2.0.44.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker <striker@apache.org>"
gpg:                 aka "Sander Striker <striker@striker.nl>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
   /* 署名 は グッド いうてますが 信頼は??? いうてます */
    At this point, the signature is good, but we don't trust this key. \
A good signature means that the file has not been tampered. \
However, due to the nature of public key cryptography, \
you need to additionally verify that key DE885DD3 was created by \
the real Sander Striker.

    Any attacker can create a public key and upload it to the public key  servers. \
They can then create a malicious release signed by this fake key. \
Then, if you tried to verify the signature of this corrupt release, \
it would succeed because the key was not the 'real' key. Therefore, \
you need to validate the authenticity of this key.
   /* 世の中には 色々な人が おわすようです  な */
Validating Authenticity of a Key

    You may download public keys for the Apache HTTP Server developers  from \
our website or retrieve them off the public PGP keyservers (see above). \
However, importing these keys is not enough to verify the integrity of \
the signatures. If a release verifies as good, you need to validate that\
the key was created by an official representative of \
the Apache HTTP Server Project.

    The crucial step to validation is to confirm the key fingerprint of the public key.
   /* 合法化の 十字型の 段階 は 公開鍵の 鍵指紋を 確証する事です */
   /*  ようわからん 表現でんな  ぶっちゃけた話 どうすんねん      */
   /*  誰かの 十字架の 話は しりまへんがな     */
% gpg --fingerprint DE885DD3
pub  1024D/DE885DD3 2002-04-10 Sander Striker <striker@apache.org>
     Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
uid                            Sander Striker <striker@striker.nl>
sub  2048g/532D14CA 2002-04-10

    A good start to validating a key is by face-to-face communication \
with multiple government-issued photo identification confirmations. \
However, each person is free to have their own standards for determining\
the authenticity of a key. Some people are satisfied by reading \
the key signature over a telephone (voice verification). \
For more information on determining what level of trust works best for you, \
please read the GNU Privacy Handbook section on Validating other keys on your public keyring.
   /*  そりゃ あえば 一番良いけど じっさいどうすんねん    */
    Most of the Apache HTTP Server developers have attempted to sign   each others' keys \
(usually with face-to-face validation). \
Therefore, in order to enter the web of trust, you should only need \
to validate one person in our web of trust. (Hint: all of our developers' \
keys are in the KEYS file.)

    For example, the following people have signed the public key for \
Sander Striker. If you verify any key on this list, \
you will have a trust path to the DE885DD3 key. If you verify a key \
that verifies one of the signatories for DE885DD3, \
then you will have a trust path. (So on, and so on.)

pub  1024D/DE885DD3 2002-04-10 Sander Striker <striker@apache.org>
sig         E2226795 2002-05-01   Justin R. Erenkrantz
sig 3       DE885DD3 2002-04-10   Sander Striker
sig         CD4DF205 2002-05-28   Wolfram Schlich
sig         E005C9CB 2002-11-17   Greg Stein
sig         CC8B0F7E 2002-11-18   Aaron Bannert
sig         DFEAC4B9 2002-11-19   David N. Welton
sig 2       82AB7BD1 2002-11-17   Cliff Woolley
sig 2       13046155 2002-11-28   Thom May
sig 3       19311B00 2002-11-17   Chuck Murcko
sig 3       F894BE12 2002-11-17   Brian William Fitzpatrick
sig 3       5C1C3AD7 2002-11-18   David Reid
sig 3       E04F9A89 2002-11-18   Roy T. Fielding
sig 3       CC78C893 2002-11-19   Rich Bowen
sig 3       08C975E5 2002-11-21   Jim Jagielski
sig 3       F88341D9 2002-11-18   Lars Eilebrecht
sig 3       187BD68D 2002-11-21   Ben Hyde
sig 3       49A563D9 2002-11-23   Mark Cox
...more signatures redacted...

    Since the developers are usually quite busy, you may not immediately   \
find success in someone who is willing to meet face-to-face \
(they may not even respond to your emails because they are so busy!). \
If you do not have a developer nearby or have trouble locating \
a suitable person, please send an email to the address of the key \
you are attempting to verify. They may be able to find someone \
who will be willing to validate their key or arrange alternate mechanisms for validation.

    Once you have entered the web of trust, you should see \
the following upon verifying the signature of a release.

% gpg httpd-2.0.44.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker <striker@apache.org>"
gpg:                 aka "Sander Striker <striker@striker.nl>"

gpg --recv

公開鍵の 入手 

$ gpg --recv 42721F00
gpg: 鍵42721F00をhkpからサーバーsubkeys.pgp.netに要求
gpg: 鍵42721F00: 公開鍵“Paul Querna <chip@force-elite.com>”を読み込みました
gpg: 最小の「ある程度の信用」3、最小の「全面的信用」1、PGP信用モデル
gpg: 深さ: 0  有効性:   1  署名:   2  信用: 0-, 0q, 0n, 0m, 0f, 1u
gpg: 深さ: 1  有効性:   2  署名:   0  信用: 2-, 0q, 0n, 0m, 0f, 0u
gpg:     処理数の合計: 1
gpg:           読込み: 1

再度検証 

$ gpg --verify httpd-2.2.0.tar.gz.asc
gpg: 2005年11月29日 17時22分08秒 JSTにDSA鍵ID 42721F00で施された署名
gpg: “Paul Querna <chip@force-elite.com>”からの正しい署名
gpg:                 別名“Paul Querna <chip@cyan.com>”
gpg:                 別名“Paul Querna <chip@corelands.com>”
gpg:                 別名“Paul Querna <pquerna@apache.org>”
gpg: 警告: この鍵は信用できる署名で証明されていません!
gpg:       この署名が所有者のものかどうかの検証手段がありません。
主鍵の指紋: 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00

鍵指紋は 

$ gpg --fingerprint 42721F00
pub   1024D/42721F00 2004-01-17
                 指紋 = 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00
uid                  Paul Querna <chip@force-elite.com>
uid                  Paul Querna <chip@cyan.com>
uid                  Paul Querna <chip@corelands.com>
uid                  Paul Querna <pquerna@apache.org>
sub   2048g/7A2BE310 2004-01-17

捜し捜しもとめて 

http://www.apache.org/dist/httpd/KEYS
pub  1024D/42721F00 2004-01-17 Paul Querna <chip@force-elite.com>
     Key fingerprint = 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00

あってる ようだし 

$ gpg --lsign-key  42721F00

pub  1024D/42721F00  作成: 2004-01-17  満了: 無期限      利用法: CS  
                     信用: 未知の        有効性: 未知の
sub  2048g/7A2BE310  作成: 2004-01-17  満了: 無期限      利用法: E   
[ unknown] (1). Paul Querna <chip@force-elite.com>
[ unknown] (2)  Paul Querna <chip@cyan.com>
[ unknown] (3)  Paul Querna <chip@corelands.com>
[ unknown] (4)  Paul Querna <pquerna@apache.org>


pub  1024D/42721F00  作成: 2004-01-17  満了: 無期限      利用法: CS  
                     信用: 未知の        有効性: 未知の
 主鍵の指紋: 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00

     Paul Querna <chip@force-elite.com>
     Paul Querna <chip@cyan.com>
     Paul Querna <chip@corelands.com>
     Paul Querna <pquerna@apache.org>

本当にこの鍵にあなたの鍵“nyantarou (sumi-non non) <ntmail@nyanta.no-ip.info>”で署名してよいですか
(81674703)

署名は、書出し不可に設定されます。

本当に署名しますか? (y/N) 
本当に署名しますか? (y/N) y

次のユーザーの秘密鍵のロックを解除するには
パスフレーズがいります:“nyantarou (sumi-non non) <ntmail@nyanta.no-ip.info>”
1024ビットDSA鍵, ID 81674703作成日付は2006-02-16

パスフレーズを入力: 
パスフレーズがいります:“nyantarou (sumi-non non) <ntmail@nyanta.no-ip.info>”
1024ビットDSA鍵, ID 81674703作成日付は2006-02-16

再再度検証 

$ gpg --verify httpd-2.2.0.tar.gz.asc
gpg: 2005年11月29日 17時22分08秒 JSTにDSA鍵ID 42721F00で施された署名
gpg: 信用データベースの検査
gpg: 最小の「ある程度の信用」3、最小の「全面的信用」1、PGP信用モデル
gpg: 深さ: 0  有効性:   1  署名:   3  信用: 0-, 0q, 0n, 0m, 0f, 1u
gpg: 深さ: 1  有効性:   3  署名:   0  信用: 3-, 0q, 0n, 0m, 0f, 0u
gpg: “Paul Querna <chip@force-elite.com>”からの正しい署名
gpg:                 別名“Paul Querna <chip@cyan.com>”
gpg:                 別名“Paul Querna <chip@corelands.com>”
gpg:                 別名“Paul Querna <pquerna@apache.org>”

そういう ことの ようですな 

$ gpg --verify httpd-2.2.0.tar.gz.asc httpd-2.2.0.tar.gz
gpg: 2005年11月29日 17時22分08秒 JSTにDSA鍵ID 42721F00で施された署名
gpg: “Paul Querna <chip@force-elite.com>”からの正しい署名
gpg:                 別名“Paul Querna <chip@cyan.com>”
gpg:                 別名“Paul Querna <chip@corelands.com>”
gpg:                 別名“Paul Querna <pquerna@apache.org>”

補足

ここより

http://www.apache.org/dist/httpd/KEYS

KEYS を 入手

$ wc -l KEYS 
   3610 KEYS
$ cat -n KEYS | grep "Paul Querna"
  3074  pub  1024D/42721F00 2004-01-17 Paul Querna <chip@force-elite.com>
$ bc -q
3610-3074
536
quit
$ tail -537 KEYS |head
pub  1024D/42721F00 2004-01-17 Paul Querna <chip@force-elite.com>
     Key fingerprint = 39F6 691A 0ECF 0C50 E8BB  849C F788 75F6 4272 1F00

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (Darwin)

.....

にゃんたろう 拝!
2006年 2月26日 (日) 23:12:02 JST 作成

前へ|次へ|戻る

Copyright © 2004.-2007. nyantarou All Rights Reserved.