LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-29-2017, 07:44 AM   #16
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,921

Rep: Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849

As far as I know this is for developers only.

https://wiki.debian.org/DebianKeyring
 
Old 10-29-2017, 07:57 AM   #17
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
As far as I know this is for developers only.

https://wiki.debian.org/DebianKeyring
Is the GnuPG verification on a downloaded .iso file really just a joke and it's best just to ignore it?
 
Old 10-29-2017, 08:09 AM   #18
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,921

Rep: Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849Reputation: 2849
Is this what your referencing?
https://www.debian.org/CD/verify
 
Old 10-29-2017, 08:47 AM   #19
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,110
Blog Entries: 3

Rep: Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000
No, but Debian itself seems to be heading that way the last decade. I moved to Devuan when it became available for the machines that would otherwise run Debian. It's identical to Debian for the moment except for a refreshing absence of systemd. You can find more here: www.devuan.org

About the verifying with a public OpenPGP key, I'll just say "key" now, that's poorly described for most any distro, as far as I know. Here's how you'd do it for Debian. First, start with a matched set of SHA512SUMS, SHA512SUMS.sign, and a disc image. If you don't have the key, the verification will produce an error and tell you the key type and fingerprint of the missing key:

Code:
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
The Debian web site should list the fingerprint, but it doesn't except for one place:

https://www.debian.org/CD/verify

Anyway, when I load that link, I see that one of the key fingerprints matches what SHA512SUMS.sign asks for. If you don't have the Debian keyring package already installed, then you'll have to bootstrap things and get the key manually from a key
server with that key, such as keyring.debian.org.

Code:
gpg --keyserver=keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
.
gpg --list-keys DF9B9Ce49EAA9298432589D76DA87E80D6294BE9B

gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B
The first line gets a key with that fingerprint (we'll skip a digression about collisions) and then the second line shows it in your local keyring. The third line shows the full finger print to compare again to the Debiean web site's example.

Then you can try verifying the SHA512SUMS file with the key present:

Code:
gpg --verify SHA512SUMS.sign SHA512SUMSgpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
See "web of trust" about the warning, but for now you've verified it as much as you can. Then use the SHA512SUMS file to check the disc image:

Code:
sha512sum --ignore-missing -c SHA512SUMS
And Bob's your uncle.
 
1 members found this post helpful.
Old 11-03-2017, 07:27 AM   #20
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
No, but Debian itself seems to be heading that way the last decade. I moved to Devuan when it became available for the machines that would otherwise run Debian. It's identical to Debian for the moment except for a refreshing absence of systemd. You can find more here: www.devuan.org
From my limited understanding of systemd - it seems this new initiative is going to 'standardise' a lot of programs in different linux distros.
This is very good for simplifying stuff in the future, but it's bad for security.
A lot of debian people resigned when systemd was introduced.

Only the future can tell us if systemd will lead us to the dark side.
But as Master Yoda has said: 'There is another'.
And that is Devuan.


Quote:
Code:
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
This is the output I get:
Code:
gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Sat 14 Oct 2017 16:49:25 BST using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
gpg.conf is not active and my RSA key ID is different to yours. But I think everything's ok.

Quote:
Code:
gpg --keyserver=keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
This is my output:
Code:
gpg --keyserver=keyring.debian.org --recv-keys 6294BE9B
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
Quote:
Code:
gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B
This is what I get:
Code:
gpg --fingerprint 6294BE9B
pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05
Quote:
Then you can try verifying the SHA512SUMS file with the key present:
Code:
gpg --verify SHA512SUMS.sign SHA512SUMSgpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
This is what I get:
Code:
gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 16:49:25 BST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
Quote:
See "web of trust" about the warning, but for now you've verified it as much as you can.
So it seems I have received a key from debian.org (RSA key ID 6294BE9B).
When I 'fingerprint' the key with gpg - it gives me another key: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B.
I can see both these numbers are on the link https://www.debian.org/CD/verify

Quote:
Then use the SHA512SUMS file to check the disc image:
Code:
sha512sum --ignore-missing -c SHA512SUMS
For some reason the '--ignore-missing' option is not recognised.
I get this:
Code:
sha512sum -c SHA512SUMSdebian-9.2.1-amd64-netinst.iso: OK
So does this mean the .iso file is ok via gpg and sha512sum?
 
Old 11-03-2017, 07:41 AM   #21
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,110
Blog Entries: 3

Rep: Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000Reputation: 2000
(I don't have anything good to say about systemd or, especially, about how it got where it is today. If you are interested in the power play that looks to be happening then some background reading can be found in the first of the "Halloween Documents". ESR has it hosted on his web site somewhere.)

Regarding the key the "6294BE9B" part of the fingerprint is too short to safely uniquely identify the key. So use only the full fingerprint. You'll see the short id in the tail end of the full fingerprint.

It looks like everything's ok in your methodology otherwise. So the SHA512SUM checks out with OpenPGP.

About --ignore missing with sha512sum, that option only hides complaints about files that are listed in SHA512SUMS but not present on the disk. Since they are not present, they don't need to be checked.

Code:
debian-9.2.1-amd64-netinst.iso: OK
Yes, that means that the disc image checks out with sha512sum.
 
1 members found this post helpful.
Old 11-03-2017, 11:36 AM   #22
firenze465
Member
 
Registered: Oct 2017
Posts: 37

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Regarding the key the "6294BE9B" part of the fingerprint is too short to safely uniquely identify the key. So use only the full fingerprint. You'll see the short id in the tail end of the full fingerprint.
I repeated the process with the long key and it gave me the same results.
The link is very helpful. Thank you very much.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Friends. Installing distribution with your .iso file only.///Amigos. Como instalar distribuição com seu arquivo.iso, apenas. flaviorobertowolff333 Linux - Hardware 1 03-21-2016 10:20 AM
sha512sum seamonkey-x.xx.checksums marcelp1 Linux - Newbie 4 10-03-2015 01:05 PM
how to make non bootable iso file and iso via linux command line?? npubudu Linux - Newbie 2 02-01-2009 11:31 PM
how to make dvd iso file from cd iso files. hocheetiong Linux - General 1 09-29-2007 05:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration