Verifying phpMyAdmin releases

Since July 2015 all phpMyAdmin releases are cryptographically signed by the releasing developer, who through January 2016 was Marc Delisle. His key id is 0xFEFC65D181AF644A, his PGP fingerprint is:

  1. 436F F188 4B1A 0C3F DCBF 0D79 FEFC 65D1 81AF 644A

and you can get more identification information from [https://keybase.io/lem9](https://keybase.io/lem9)\.

Beginning in January 2016, the release manager is Isaac Bennetch. His key id is 0xCE752F178259BD92, and his PGP fingerprint is:

  1. 3D06 A59E CE73 0EB7 1B51 1C17 CE75 2F17 8259 BD92

and you can get more identification information from [https://keybase.io/ibennetch](https://keybase.io/ibennetch)\.

Some additional downloads (for example themes) might be signed by Michal Čihař. His key id is 0x9C27B31342B7511D, and his PGP fingerprint is:

  1. 63CB 1DF1 EF12 CF2A C0EE 5A32 9C27 B313 42B7 511D

and you can get more identification information from [https://keybase.io/nijel](https://keybase.io/nijel)\.

You should verify that the signature matches the archive you have downloaded. This way you can be sure that you are using the same code that was released. You should also verify the date of the signature to make sure that you downloaded the latest version.

Each archive is accompanied by .asc files which contain the PGP signature for it. Once you have both of them in the same folder, you can verify the signature:

  1. $ gpg --verify phpMyAdmin-4.5.4.1-all-languages.zip.asc
  2. gpg: Signature made Fri 29 Jan 2016 08:59:37 AM EST using RSA key ID 8259BD92
  3. gpg: Can't check signature: public key not found

As you can see gpg complains that it does not know the public key. At this point, you should do one of the following steps:

  1. $ gpg --import phpmyadmin.keyring
  • Download and import the key from one of the key servers:
  1. $ gpg --keyserver hkp://pgp.mit.edu --recv-keys 3D06A59ECE730EB71B511C17CE752F178259BD92
  2. gpg: requesting key 8259BD92 from hkp server pgp.mit.edu
  3. gpg: key 8259BD92: public key "Isaac Bennetch <bennetch@gmail.com>" imported
  4. gpg: no ultimately trusted keys found
  5. gpg: Total number processed: 1
  6. gpg:               imported: 1  (RSA: 1)

This will improve the situation a bit - at this point, you can verify that the signature from the given key is correct but you still can not trust the name used in the key:

  1. $ gpg --verify phpMyAdmin-4.5.4.1-all-languages.zip.asc
  2. gpg: Signature made Fri 29 Jan 2016 08:59:37 AM EST using RSA key ID 8259BD92
  3. gpg: Good signature from "Isaac Bennetch <bennetch@gmail.com>"
  4. gpg:                 aka "Isaac Bennetch <isaac@bennetch.org>"
  5. gpg: WARNING: This key is not certified with a trusted signature!
  6. gpg:          There is no indication that the signature belongs to the owner.
  7. Primary key fingerprint: 3D06 A59E CE73 0EB7 1B51  1C17 CE75 2F17 8259 BD92

The problem here is that anybody could issue the key with this name. You need to ensure that the key is actually owned by the mentioned person. The GNU Privacy Handbook covers this topic in the chapter Validating other keys on your public keyring. The most reliable method is to meet the developer in person and exchange key fingerprints, however, you can also rely on the web of trust. This way you can trust the key transitively though signatures of others, who have met the developer in person.

Once the key is trusted, the warning will not occur:

  1. $ gpg --verify phpMyAdmin-4.5.4.1-all-languages.zip.asc
  2. gpg: Signature made Fri 29 Jan 2016 08:59:37 AM EST using RSA key ID 8259BD92
  3. gpg: Good signature from "Isaac Bennetch <bennetch@gmail.com>" [full]

Should the signature be invalid (the archive has been changed), you would get a clear error regardless of the fact that the key is trusted or not:

  1. $ gpg --verify phpMyAdmin-4.5.4.1-all-languages.zip.asc
  2. gpg: Signature made Fri 29 Jan 2016 08:59:37 AM EST using RSA key ID 8259BD92
  3. gpg: BAD signature from "Isaac Bennetch <bennetch@gmail.com>" [unknown]