[Bro] before install verify download signature

Thu Aug 2 06:36:56 PDT 2018

> On Aug 2, 2018, at 4:14 AM, cmason at cmason.us wrote:
> 
> Is there an example of a command line for verifying the bro package before installing?

$ wget https://www.bro.org/downloads/bro-2.5.4.tar.gz
--2018-08-02 09:26:39--  https://www.bro.org/downloads/bro-2.5.4.tar.gz
Resolving www.bro.org... 192.150.187.43
Connecting to www.bro.org|192.150.187.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18520847 (18M) [application/x-gzip]
Saving to: 'bro-2.5.4.tar.gz'

bro-2.5.4.tar.gz             100%[==============================================>]  17.66M  8.40MB/s    in 2.1s

2018-08-02 09:26:41 (8.40 MB/s) - 'bro-2.5.4.tar.gz' saved [18520847/18520847]

$ wget https://www.bro.org/downloads/bro-2.5.4.tar.gz.asc
--2018-08-02 09:26:43--  https://www.bro.org/downloads/bro-2.5.4.tar.gz.asc
Resolving www.bro.org... 192.150.187.43
Connecting to www.bro.org|192.150.187.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 801 [text/plain]
Saving to: 'bro-2.5.4.tar.gz.asc'

bro-2.5.4.tar.gz.asc         100%[==============================================>]     801  --.-KB/s    in 0s

2018-08-02 09:26:43 (54.6 MB/s) - 'bro-2.5.4.tar.gz.asc' saved [801/801]

$ gpg --verify bro-2.5.4.tar.gz.asc
gpg: assuming signed data in 'bro-2.5.4.tar.gz'
gpg: Signature made Wed May 30 11:32:36 2018 EDT
gpg:                using RSA key C68B494DF56ACC7E
gpg: Good signature from "The Bro Team <info at bro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 962F D218 7ED5 A1DD 82FC  478A 33F1 5EAE F8CB 8019
     Subkey fingerprint: E969 0B2B 7D8A C1A1 9F92  1C4A C68B 494D F56A CC7E
$
— 
Justin Azoff