32. 验证 Suricata 源码分发文件¶
下载 Suricata 发行版文件后,应当验证其 PGP 签名。这可以通过 GPG 工具实现,该工具通常在 Linux/BSD 系统中已预装,无需额外安装。Mac 或 Windows 系统的安装包可在 https://gnupg.org/ 获取。
32.1. 验证步骤¶
以下为通用验证指引,具体操作命令可能因操作系统而异。
32.1.1. 下载签名文件¶
需同时下载签名文件与发行版文件。两者均可在 https://suricata.io/download/ 获取。
32.1.2. 导入 OISF 签名密钥¶
获取签名文件和 Suricata 发行文件后,需将 OISF 签名密钥导入本地 gpg 密钥环。执行以下命令即可完成导入:
$ gpg --receive-keys 2BA9C98CCDF1E93A
该命令应输出类似以下内容:
gpg: key 2BA9C98CCDF1E93A: public key "Open Information Security Foundation
(OISF) <releases@openinfosecfoundation.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
32.1.3. 验证 Suricata 发行文件¶
验证 Suricata 7.0.5 发行文件时,可执行以下命令:
$ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz
根据对 OISF 签名密钥的信任级别设置,将看到类似如下输出:
$ gpg --verify suricata-7.0.5.tar.gz.sig suricata-7.0.5.tar.gz
gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC
gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-08-06
gpg: Good signature from "Open Information Security Foundation (OISF)
<releases@openinfosecfoundation.org>" [ultimate]
此输出表明签名有效且签名密钥受信任。
Note
若 --verify 命令输出如下:
gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC
gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A
gpg: Can't check signature: No public key
表示 OISF 签名密钥未导入本地 GPG 密钥环。
Note
若 --verify 命令输出如下:
gpg: Signature made Tue 23 Apr 2024 11:58:56 AM UTC
gpg: using RSA key B36FDAF2607E10E8FFA89E5E2BA9C98CCDF1E93A
gpg: Good signature from "Open Information Security Foundation (OISF)
<releases@openinfosecfoundation.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B36F DAF2 607E 10E8 FFA8 9E5E 2BA9 C98C CDF1 E93A
表示 OISF 签名密钥已导入且签名有效,但密钥未被标记为受信任,或可能存在伪造风险。
若对下载文件的有效性存疑,可通过 security @ oisf.net`(发送前需删除 `@ 前后空格)联系 OISF 团队。