8 Comments

Summary:

Apple updated their PGP product security key as part of their two-year cycle. The new key is valid up through May 15, 2010 and will eventually be posted to their Protecting Security Information page. The announcement was made on their mailing list which you can subscribe […]

Apple updated their PGP product security key as part of their two-year cycle. The new key is valid up through May 15, 2010 and will eventually be posted to their Protecting Security Information page. The announcement was made on their mailing list which you can subscribe to via mail or RSS.

How To Use The Key

Unlike the SHA1 Digests that Apple posts with each distinct download from their site (more on how to verify those here) – an example of which is the SHA1 lines on the Safari 3.1.1 update, the PGP key is used when communicating with Apple, either to verify the authenticity of messages you receive from Apple or to encrypt messages you send to Apple.

For sending secure mail, you’d need to either use a mail client with PGP capability built-in or use an add-on, such as PGP for Apple Mail (which does not support Leopard yet, but there is a beta program if you’re willing to live on the edge). You would then need to setup a public/private key pair and then encrypting your message. If I receive sufficient requests/interest in the comments, I’ll post a full example of how to send encrypted mail with PGP on OS X.

For verifying Apple’s messages you need PGP at a minimum and can obtain a free version of it from The Fink Project, MacPorts or MacGPG and a commercial version from the PGP mothership. Enterprising folks can build it from source as well. The rest of this requires some Terminal-fu, so be forewarned!

From a Terminal window, run gpg --gen-key to generate your public/private key pair (a good thing to do first):

gpg --gen-key
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) N
Key is valid for? (0) 2y
Key expires at Thu May 13 13:12:34 2010 PDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Bob Rudis
Email address: bob@rudis.net
Comment:
You selected this USER-ID:
    "Bob Rudis "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++.+++++++++++++++++++++++++.
++++++++++..++++++++++.+++++.+++++.+++++..+++++.++
++++++++.++++++++++.+++++.++++++++++.+++++...+++++
.+++++.>+++++................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++++++++++++.++++++++++++++++++++++++
+..++++++++++++++++++++++++++++++++++++++++.+++
++...+++++.+++++++++++++++++++++++++.++++++++++..
++++++++++.+++++>..+++++.+++++>.+++++>+++++
..........+++++^^^
gpg: /Users/bob/.gnupg/trustdb.gpg: trustdb created
gpg: key [key id] marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-05-13
pub   1024D/39240DBE 2008-05-13 [expires: 2010-05-13]
      Key fingerprint = [the fingerprint]
uid                  Bob Rudis
sub   2048g/2156B72D 2008-05-13 [expires: 2010-05-13]



I recommend using two years as the maximum lifespan of the key.

After that, you need to import Apple’s key(s) before verifying messages. The latest one will (or should) be here with historical ones here. Only use these if you are sure you’re on Apple’s site. You’ll note I provided HTTPS links just so you can have more means of verification. You can copy the key text:

and then type gpg --import in Terminal.app and paste the key into it (be sure to copy all lines, including the BEGIN/END dashed ones):

gpg --import
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Desktop 9.0.6 (Build 6060)

mQENBEZB/6QBCAC/U3woSXiu6dqr8fteNkr/07W9uBtzfXwcFBNXMC3JE9Dn5uAP
qvqL9Dzwr9zgMFKtXGPMu6qc0f1Rq07ZInspcOq7jPgKfw7Jn0fAGUOOcTZSnTuA
v8zEg6jmWnlrwt8aEQyHY5WcHkYYfGFnyqaYgPXM8Oknggq1rmmwRPKKnmp2gmyO
KlaOBby7tD8qoWJ3LwSAdxSrlJZbo3qTHKBZInDfhp7wdXuKaaLmzvpzN+Lnev+W
+h79dtRsKoy4Aiy7iknehrG9VOWkjR8oKPWAgZcxXNy7Dqk761+rGvrcpHvXqQtt
X3LB3ve4x/6R1fqgo8YXaB4YfQqrnsIJbHqdABEBAAG0M0FwcGxlIFByb2R1Y3Qg
U2VjdXJpdHkgPHByb2R1Y3Qtc2VjdXJpdHlAYXBwbGUuY29tPokBjgQQAQIAeAUC
RkIAXAUJAepuADAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdw
LmNvbXBncG1pbWUHCwkIBwMCCgIZARkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29t
BRsDAAAABBYDAgEFHgEAAAAEFQgJCgAKCRDIAKKruEaebd3EB/956t2/qJKCPg43
MfX39Wms/wfmyB/V6MQuMvuYMa7qyPa4c7MWA/ORGPT51WyvIlfufBpyIM98+h2t
Qovz+HPoHglSXMTAMjHeDgk/r3O75Iimpr0cvw58v8gvvJG253Tj2qPJW43fkMDW
ZkWURYSgdLKhX+wZWsGMjqFRaQB/2Xgo9ZezhIBcDbfFZI3diAULc0hiPPHlUmny
r8O5dY9lUHkCIPWtgWkVLVXsgZCBe6440ceDPsgqR+76J5KPXDqvDMYIfma0AyF7
M12ZnhVUuRniqC8DzkrHCQy8MKw0xEkBI2cqm8rEaEgEOTSd6
JGXohvyZtEBBcHBsZSBQcm9kdWN0IFNlY3VyaXR5PHByb2R1Y3Qtc2VjdXJpdHkt
bm9yZXBseUBsaXN0cy5hcHBsZS5jb20+iQGLBBABAgB1BQJGQgBcBQkB6m4AMBSA
AAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQcL
CQgHAwIKGRhsZGFwOi8va2V5c2VydmVyLnBncC5jb20FGwMAAAAEFgMCAQUeAQAA
AAQVCAkKAAoJEMgAoqu4Rp5tSQgH/1EVTjwJZO/YiTk8Blm/BTFYP190UUwwai9T
NlPzS9iKo8gy2ud2oas6SlvTl88N8SvQYfdJ0pBy9eK5nI3r9l/YXy3zveh2oPUT
wgYnOtPoASgPv85rzUsHpB/9OXNvjC1Y61HlBEGqrJRZk3byfFEgHBbSFYvT53Zd
LesMETU36Yxp2Fx2qtOskCidaFm3BDQmicf8Lp7X06U6hgnSvCIuSoGfMMhLCL51
k+Kvxmla2Qy7FBkbzJPg/kGbckhxWVSkzm4QsDHYu6YKnpjlPX2/Jh6bZU3cDyiW
Ds9m3j9QrZ8FZEosRKXhICJWScutiCfWkojpsIGQaPvPFhNI8Y+5AQ0ERkH/pAEI
ALvp0NefkmbbJE1sYXiaY0Y8tuCatW5iFT9izQunVX2vpx/U943pqinqo4cEM3o4
u9Tm/My9PlDTPKc8q+vBrrCWu4szapC0nG/5qLW2J895TL4C5SuRJ7uDaDB7ESIQ
Y3ttNYnn/rpLmRXd3RLnJ3Q3KH88OEd5G3HMNJOyhN617VdbaSplfCI8NY8R8ERb
x5HjAi8l0p/kvK5LOPts6LvdpM/dnkORH0N0u6UBOSSFWgxM4zUZCYf02H3ZX1aF
lHe6fKwmWG7HPdfATGDWxVbp/ANyzTFolzP+viBDmDRPOAVLEM/9xzHTC/j5AW49
5aR7xWdOcdStJUV/c9XXOb0AEQEAAYkBKAQYAQIAEgUCRkH/pAUJAepuAAUbDAAA
AAAKCRDIAKKruEaebbVyB/0ewa7Y9RJV/i5xpk81UkaqwZVxOlgsJBnswlGFIDLw
ZEqmWWGZk5hHiON+c1HBNtMSFafR0+fXbef6mytto2SrgRlwx4ym940Aq02lFtP3
bwje2DjkXfw9Ur6QVSS7cDlTn5naF4SBB35tTREDSj7cH8nq7Xn0d4CMZpZQsnF5
f05eZuOpP92RRLQggrYwvD5hfRMovt2PS/A/0bvQKP1G7r1jdepv7inBYLWgHMA3
GHjUng1AeaPEPGQbJE7HgYZDr8OAbReCXb30+PPu0yg6uyvvqYy9ZzsUWCKdfX0v
Lpn1LrbXk9eXJau5zL0Wp00aKCOItGM36B5rVu+XfPns
=HSS8
-----END PGP PUBLIC KEY BLOCK-----
gpg: key B8469E6D: public key "Apple Product Security " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)



You should then “trust” that key via:

gpg --edit-key Apple Product Security<product-security-noreply@lists.apple.com>" trust

with the level of trust you have for Apple (you will prompted for your trust level).

Once you’ve gotten this far (keep going!), you can verify messages by copying the message text between the first dashed BEGIN line and the “END PGP SIGNATURE” dashed line and paste it into a gpg --verify Terminal command:

gpg --verify
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In accordance with established policy, we update the Apple Product
Security PGP key every two years.

Key information will be available from our web site at:

http://www.apple.com/support/security/pgp/

Here is our new PGP key which is effective immediately and valid
until May 15, 2010.

Key ID: 0x8A648901
Key Type: RSA
Expires: 5/15/10
Key Size: 2048/2048
Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901
UserID: Apple Product Security

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 9.7.0.1012

mQENBEgoyd8BCADVztyF54QoqSIHwlcS4xjh0M3b2BwhNZfeeH+szSgnAsEB/WXD
xGIcDx9x5dX5WmdrAhGzTzrbr2nLeY5ldMfEMj+L9v6POINFaKFFMhMfIh5F4xDT
Wj2v57JpX/LtGul7rzvBJuKsMQy6EzMwUK4lPf0tp7Us2qga+w7FqLt+yaCgCngR
UsTG8jPW1JCfErQfWYwg8hXVQi9kQ9qWB9IDOb6b/VJrm+eL2h0hh9i8Qbr0cggL
CYPgc580hhNYEFcBkELDgIajMiF64WbBCu6Re7eW3tLTKH/gFBjQg0po6eo38CsM
1cJ20Ki8j41JdGg05BelSc3znHfuHEPtk2YjABEBAAG0M0FwcGxlIFByb2R1Y3Qg
U2VjdXJpdHkgPHByb2R1Y3Qtc2VjdXJpdHlAYXBwbGUuY29tPokBjQQQAQIAdwUC
SCjJ8wUJA8ZbgDAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdw
LmNvbXBncG1pbWUHCwkIBwMCCgIZARkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29t
BRsDAAAAAxYCAQUeAQAAAAQVCAkKAAoJEHkodeiKZIkBP/IIAJQGeYkXyVGQv6cz
Nnmcc9DTomofZGTlh1lIzpfI0Q9fC/yb39Ak4MbPzRQSxpL8DhuTBKKFymi6w3jy
6hibVZQpxPuKiAKDOVrODQZ5A+yzKYQXCLNKwLDYPyIWNdH6QSnb6LNsV2kYCuak
rsgQSPUzHYW8GZ6Lf/p7jatt90AjW6Y1E9tQZos2UyuzgRa3/H4cIw7QlyxBqEKN
Aeh3Ki2uiWXiMpBZRV/mmrPh1pHxCZNwgnMEif9AYWEfhHMp4IpWxmx1Y5zb4Ut6
C4GP6o49+I/jKQbGPnUrt9v11Jw3q7qtn7OFJYDLaOKuDjdUxAsX2U+/aCGitPYK
5WS0/cmJARUDBRBIKMunyACiq7hGnm0BAi7nB/97vikdsaUUlakughB9936ydx2M
yt/pzzHvMFalixy7nPp955M09aDzKL51/oUVEch1oa8pGwT0coA4EKB/1KgLdlW2
3R1/Y2jKNI2d5i3g3SX+1M8ONvNLSBFllNbA8EfaAjEKjtS5qHLPD31sDIyR9XCZ
lL+bWIET28lkux7hLD+bb5zJRJ+tpPpQj5LPgaBAN6VJotIYOsdKAuBM5Iy3t7C2
brupn1ubkUVf9SZ59gsISLgJjwp/lqtow9WMLUs9XMFWlp/o8yarkliVTT8YN6p6
WJCRdHJ8RLGdakEdEodX0bHhlffuDQ46CoJwLyZOqtmVU8AFsAdzWL+mE399uQEN
BEgoyeABCADQSbcg1uQJngtYops0sGgQA5YBASXZ5tOlcFtezve1QTB1x2kRLBJs
v6pcR2g5JG3evpqYCv/CcZKVp4PGC2oOOyVDV5rhIRneCJt+mjVFPAwnf3qk1IDJ
hKPCzp1cRvyD1Jy+43ziKtoR1eUWYMVlB4ZpUV+maSqbFPK2SWYhp3XVpQd0rAKN
jRWs5MdBUMBLNwE9uMWZjXDk1vpwUKcplucdIz2x9vAjHlCwH7bzA0acbxyrOIP7
xNS+RhTw4+wneHCnhKrXFzx1ulmKKeCM2nzRcBK6XQjGpLRn7iI36aLZIkNy0Cj7
/yUosFli/TaCkEpDSfVU2UKYuxwZm5lbABEBAAGJAkcEGAECATEFAkgoyeEFCQPG
W4AFGwwAAADAXSAEGQEIAAYFAkgoyeAACgkQ6qGgRm6t5zGG5Qf/UjH1uYLUhvvK
oO/R5fxtB6Ccvwdu1p/5Bu9Pj7KfR3RPfZUvDApvAuYjAWcZ9UhXtTSb7pmUoksS
oVLcb0lvT1PjWrXi2Xi3bEOFcunqgymCNor9AqgjKf+3bRBm54Tm7uW8EktZk4xX
B0XXe3P8jFkdrkKjtAQYcnypCSkDUnAiwcm3NbRv9tqMiyIp6X7lfuHZ38H6XsbP
jp5eWI4fesq9kcumwNHszmjfthyKrClBCACtqZBMU2ws1cluIzjOA07tGhPaTb4l
crXpkWjQmIXDu6kC0wo5Js2wtLk+UIl8SH2Bt7tenKZPBdlRYCPhws6nc4UGxSz4
vF0gkWBMwwAKCRB5KHXoimSJAf1aCACQKb6IHtEuAS5yGT6rFMI7fQDDaZxFolyP
2oF/h2Y+Q5uBn2eh3o2MzJ6wSAk8CIk4bb0bys4DyzAmUJlmiSgl+HL85urQJf7o
PG5JtXTx5LCNGfJBiKUnLu50ROes0cZtFwd8rhQbGeuHOZQ6MgLQbVShVidrI1GE
wtpLE48BEuzRQGeSXQPJLe3HpdxdF+jVAPvNoDLY1nScT9yR6+kD0v4gZq9IoDwC
DBDti1hpukhEPLrGNGX4vrE0Dvpp0MXtQX3QBYh8eIrst/f/ZwFxzIG8Zia2slHb
oHaPysmoTlQM1gCGkcyEwGlZWpaMpSp37Om7ig14xw68vdKXVUkz
=eeVl
- -----END PGP PUBLIC KEY BLOCK-----

This message is signed with the current key, which can be obtained
from:

http://www.apple.com/support/security/pgp/archive/

Apple Product Security team

http://www.apple.com/support/security/

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0.1012

wsBVAwUBSCjupMgAoqu4Rp5tAQgK2gf+M39rtHuNxeckE8WnPhiOWd6cBy5Xl6xU
LHHYcUs1/0nouIL7zkQ9rbIV29iDsjMroz+qeZOCp8KUohFF2MZLN+J8N7cefSfr
b55zhFGqkwmsaNb9Fz7OdX7ML2JZYirLw5b/mqdQoYqGlRuHzcMDuhmskILCYXqb
D63RUcXXnFMabAybJAXqs7lYPxhNO0AdCsceVvPkaGHu23n5RPJLT9dq+Cc0mqlT
TyzklycFgahXRlbzL5OUs+GyOWnbluTOEIgSVsCZFjJZkjbHa4BxRwR6AbfUuCyg
ANPhtc8agySNW/+Nu9aTRHo7RDzPvqsBbRxdA708SI9SDbNIrqqxvw==
=jHUp
-----END PGP SIGNATURE-----
gpg: Signature made Mon May 12 18:28:04 2008 PDT using RSA key ID B8469E6D
gpg: Good signature from "Apple Product Security "
gpg:                 aka "Apple Product Security"


The key bits you’re looking for are the last three lines.

If they message was corrupted at all (or not legitimate) you’ll receive a message similar to:

gpg: Signature made Mon May 12 18:28:04 2008 PDT using RSA key ID B8469E6D
gpg: BAD signature from "Apple Product Security "


The process may seem clunky and arduous, but it is a solid way to ensure integrity of messages you receive from places like Apple. GUI tools mask the “ugliness” of hacking Terminal.app, but the same steps and principles apply.

If you see any glaring problem with this post, have any questions on what I’ve described or use a different PGP application, please drop a note in the comments.

If you made it this far, here’s a challenge for you as a reward. I actually used a similar input file to the one I cut/pasted from Apple’s message. On a human first glance, there may not appear to be much difference between the two sets of data, but the first TAB reader to identify what I modified to make the good message into a bad message will receive a $15 iTunes gift certificate! Just drop your educated guess (or results of scientific analysis) in the comments and the first correct comment will win (make sure to post your comment with e-mail address so I can contact you with the prize). The whole purpose of the prize is to show that you can’t just trust your eyes when it comes to security and should effectively demonstrate the value of using PGP on important messages.

  1. You changed the expiry date from “until May 15, 2010.” to “until May 15, 2012.”?

    Share
  2. Count me as one reader who would like to see a future post on using PGP on OSX.

    Share
  3. you removed return/new line?

    Share
  4. You have removed the string: “Y29tPokBjQQQAQIAdwUC
    SCjJ8″ from the key, making it incompatible with the key size

    Share
  5. [...] to Nico Kaiser for correctly identifying the subtle change in the PGP security contest! See, it literally pays to read “stodgy” [...]

    Share
  6. You mangled the public key block with extra characters and cutting out the above mentioned string (indeed):

    ($:~)-> diff goodblock badblock
    7,8c7
    < U2VjdXJpdHkgPHByb2R1Y3Qtc2VjdXJpdHlAYXBwbGUuY29tPokBjQQQAQIAdwUC
    U2VjdXJpdHkgPHByb2R1Y3Qtc2VjdXJpdHlAYXBwbGUuwUJA8ZbgDAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5jb2RpbmdAcGdw

    Share
  7. OT: that was some very basic HTML IMHO… pre is not basic? ;-)

    Share
  8. I wish there were more posts like this online.

    Share

Comments have been disabled for this post