29

At the moment, I'm trying to check the fingerprint of the oracle_vbox.asc key that I downloaded from http://www.virtualbox.org/wiki/Linux_Downloads: they provide the key and the fingerprint but no instructions for reviewing this information myself.

How do I show the fingerprint of the key I just downloaded?

apt-key finger oracle_vbox.asc shows the fingerprints of all trusted keys, which isn't what I want.

Braiam
  • 67,791
  • 32
  • 179
  • 269
Amanda
  • 9,333

5 Answers5

30

Get the key:

$ wget http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc

Print the key fingerprint with GPG version 1:

$ gpg --with-fingerprint oracle_vbox.asc 
pub  1024D/98AB5139 2010-05-18 Oracle Corporation
                      (VirtualBox archive signing key) <info@virtualbox.org>
      Key fingerprint = 7B0F AB3A 13B9 0743 5925  D9C9 5442 2A4B 98AB 5139
sub  2048g/281DDC4B 2010-05-18
      Key fingerprint = 27B0 97CF 8257 4209 C434  8D42 B674 8A65 281D DC4B

Note that the 2nd fingeprint is just the fingerprint of the sub-key.

Print the fingerprint with GPG version 2:

$ gpg2 -n -q --import --import-options import-show  oracle_vbox.asc   
pub   dsa1024 2010-05-18 [SC]
      7B0FAB3A13B907435925D9C954422A4B98AB5139
uid   Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   elg2048 2010-05-18 [E]

Note that -n is an alias for --dry-run, i.e. the key isn't actually imported.

Alternatively, to just display the fingerprints:

$ gpg2 -nq --import --import-options import-show --with-colons oracle_vbox.asc \
     | awk -F: '$1 == "fpr" { print $10 }'
7B0FAB3A13B907435925D9C954422A4B98AB5139
27B097CF82574209C4348D42B6748A65281DDC4B
maxschlepzig
  • 3,474
  • Is there an analogous command without using gpg? I mean, in SSH, I can do cat ./id_rsa.pub | awk '{print $2}' | base64 -d | md5sum and it will return me an MD5 hash which is equal to the fingerprint hash of ssh -lf ./id_rsa.pub. Is there a similar way to do it with GPG public keys? – user3019105 Sep 13 '15 at 09:16
  • 2
    @user3019105, no, there is not. The format of a PGP public key is a little bit more complicated. See RFC 4880 and the GPG source code for details. – maxschlepzig Sep 13 '15 at 09:58
  • The RFC says (about MD5 deprecated fingerprints): The fingerprint of a V3 key is formed by hashing the body (but not the two-octet length) of the MPIs that form the key material (public modulus n, followed by exponent e) with MD5., can't I get this MPIs' body given an ASCII Armor (Radix-64) public key file? – user3019105 Sep 13 '15 at 10:06
  • @user3019105, you can. You can duplicate what is already implemented in GPG. But such a command line would be quite more elaborate than the one you've posted for an ssh public key. Thus, it wouldn't be analogous. – maxschlepzig Sep 13 '15 at 10:13
  • Ok thanks, but I still need to find out how to get the body of the MPIs that form the key material the RFC talks about – user3019105 Sep 13 '15 at 10:19
  • 1
    Some explanatory comments and references could go a long way towards improving this answer (e.g. Exchanging keys - GnuPG). – nutty about natty Nov 28 '17 at 20:12
  • @nuttyaboutnatty, well, I think that it's pretty spot on as-is. The question is just about displaying the fingerprint of a key file, thus the answer is just about that, as well. Adding more would arguably add more noise to the signal, so to say. – maxschlepzig Nov 28 '17 at 21:22
  • 1
    This syntax does not work with GnuPG 2 anymore. It outputs: WARNING: no command supplied. Trying to guess what you mean .... Then, it lists the key without fingerprint. See my answer. – ominug Apr 22 '19 at 12:24
  • @ominug see my latest update for displaying the fingerprint with GPGv2 - without actually importing the key into a keyring. – maxschlepzig Apr 23 '19 at 10:28
9

Step 1

$ deb http://download.virtualbox.org/virtualbox/debian artful contrib

Step 2

$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

Step 3

$ apt-key list

or, equivalently,

$ apt-key finger

which should return

/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

which in turn should be equivalent to

The key fingerprint for oracle_vbox_2016.asc is

B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>

on https://www.virtualbox.org/wiki/Linux_Downloads, either by visual inspection or further command line fu.

Related links:

nutty about natty
  • 6,788
2

Using gpg version 2.2.27

gpg --version

output


gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

Download the current .asc file from https://www.virtualbox.org/wiki/Linux_Downloads as of this writing (2023-03-22):

wget https://www.virtualbox.org/download/oracle_vbox_2016.asc

The VirtualBox website currently states:

The key fingerprint for oracle_vbox_2016.asc is

B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>

The following commands all allow to verify this information, each with different formatting:

gpg --show-keys --with-fingerprint --keyid-format=short oracle_vbox_2016.asc

Output:

pub   rsa4096/2980AECF 2016-04-22 [SC]
      Key fingerprint = B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid                    Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096/920E471F 2016-04-22 [E]

gpg --show-keys --with-fingerprint oracle_vbox_2016.asc

Output:

pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid                      Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

gpg --show-keys oracle_vbox_2016.asc

Output:

pub   rsa4096 2016-04-22 [SC]
      B9F8D658297AF3EFC18D5CDFA2F683C52980AECF
uid                      Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

gpg --show-keys --with-colons oracle_vbox_2016.asc

Output ("The --with-colons option emits the output in a stable, machine-parseable format, which is intended for use by scripts and other programs."):

pub:-:4096:1:A2F683C52980AECF:1461318881:::-:::scESC::::::23::0:
fpr:::::::::B9F8D658297AF3EFC18D5CDFA2F683C52980AECF:
uid:-::::1461318881::CA5D570DDFDB695A0301885765DD8E285368742C::Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>::::::::::0:
sub:-:4096:1:AD18C79D920E471F:1461318881::::::e::::::23:
fpr:::::::::31DD01EB8C64DF3D12E7BC97AD18C79D920E471F:
Abdull
  • 502
1

This works with GPG 2 (at least I could check it with versions 2.1.18 and 2.2.12):

wget http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
gpg_home=$(mktemp -d)
gpg --homedir "$gpg_home" --import oracle_vbox.asc
# gpg: keybox '/tmp/tmp.CHoWuJBy7N/pubring.kbx' created
# gpg: /tmp/tmp.CHoWuJBy7N/trustdb.gpg: trustdb created
# gpg: key 54422A4B98AB5139: public key "Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>" imported
# gpg: Total number processed: 1
# gpg:               imported: 1
gpg --homedir "$gpg_home" --list-keys
# /tmp/tmp.CHoWuJBy7N/pubring.kbx
# -------------------------------
# pub   dsa1024 2010-05-18 [SC]
#       7B0FAB3A13B907435925D9C954422A4B98AB5139
# uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
# sub   elg2048 2010-05-18 [E]
#

Source: https://unix.stackexchange.com/a/468889

ominug
  • 191
0

You have both the key and the fingerprint? Run:

ssh-keygen -lf key.pub

against the key to get the fingerprint.

ssh-keygen reference: http://www.manpagez.com/man/1/ssh-keygen/

Eric Carvalho
  • 54,385
mvario
  • 742