验证 Suricata 源码分发文件 ============================================ 下载 Suricata 发行版文件后,应当验证其 PGP 签名。这可以通过 GPG 工具实现,该工具通常在 Linux/BSD 系统中已预装,无需额外安装。Mac 或 Windows 系统的安装包可在 ``_ 获取。 验证步骤 ------------------ 以下为通用验证指引,具体操作命令可能因操作系统而异。 下载签名文件 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 需同时下载签名文件与发行版文件。两者均可在 ``_ 获取。 导入 OISF 签名密钥 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 获取签名文件和 Suricata 发行文件后,需将 OISF 签名密钥导入本地 gpg 密钥环。执行以下命令即可完成导入:: $ gpg --receive-keys 2BA9C98CCDF1E93A 该命令应输出类似以下内容:: gpg: key 2BA9C98CCDF1E93A: public key "Open Information Security Foundation (OISF) " imported gpg: Total number processed: 1 gpg: imported: 1 验证 Suricata 发行文件 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 验证 Suricata 7.0.5 发行文件时,可执行以下命令:: $ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz 根据对 OISF 签名密钥的信任级别设置,将看到类似如下输出:: $ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2025-08-06 gpg: Good signature from "Open Information Security Foundation (OISF) " [ultimate] 此输出表明签名有效且签名密钥受信任。 .. note:: 若 `--verify` 命令输出如下:: gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A gpg: Can't check signature: No public key 表示 OISF 签名密钥未导入本地 GPG 密钥环。 .. note:: 若 `--verify` 命令输出如下:: gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A gpg: Good signature from "Open Information Security Foundation (OISF) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B36F DAF2 607E 10E8 FFA8 9E5E 2BA9 C98C CDF1 E93A 表示 OISF 签名密钥已导入且签名有效,但密钥未被标记为受信任,或可能存在伪造风险。 若对下载文件的有效性存疑,可通过 `security @ oisf.net`(发送前需删除 `@` 前后空格)联系 OISF 团队。