[SOLVED] How to use sha512sum on an iso file

michaelk · 10-29-2017, 07:44 AM

As far as I know this is for developers only.

https://wiki.debian.org/DebianKeyring

firenze465 · 10-29-2017, 07:57 AM

Quote:

Originally Posted by michaelk

As far as I know this is for developers only.

https://wiki.debian.org/DebianKeyring

Is the GnuPG verification on a downloaded .iso file really just a joke and it's best just to ignore it?

michaelk · 10-29-2017, 08:09 AM

Is this what your referencing?
https://www.debian.org/CD/verify

Turbocapitalist · 10-29-2017, 08:47 AM

No, but Debian itself seems to be heading that way the last decade. I moved to Devuan when it became available for the machines that would otherwise run Debian. It's identical to Debian for the moment except for a refreshing absence of systemd. You can find more here: www.devuan.org

About the verifying with a public OpenPGP key, I'll just say "key" now, that's poorly described for most any distro, as far as I know. Here's how you'd do it for Debian. First, start with a matched set of SHA512SUMS, SHA512SUMS.sign, and a disc image. If you don't have the key, the verification will produce an error and tell you the key type and fingerprint of the missing key:

Code:

$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

The Debian web site should list the fingerprint, but it doesn't except for one place:

https://www.debian.org/CD/verify

Anyway, when I load that link, I see that one of the key fingerprints matches what SHA512SUMS.sign asks for. If you don't have the Debian keyring package already installed, then you'll have to bootstrap things and get the key manually from a key
server with that key, such as keyring.debian.org.

Code:

gpg --keyserver=keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
.
gpg --list-keys DF9B9Ce49EAA9298432589D76DA87E80D6294BE9B

gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B

The first line gets a key with that fingerprint (we'll skip a digression about collisions) and then the second line shows it in your local keyring. The third line shows the full finger print to compare again to the Debiean web site's example.

Then you can try verifying the SHA512SUMS file with the key present:

Code:

gpg --verify SHA512SUMS.sign SHA512SUMSgpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

See "web of trust" about the warning, but for now you've verified it as much as you can. Then use the SHA512SUMS file to check the disc image:

Code:

sha512sum --ignore-missing -c SHA512SUMS

And Bob's your uncle.

firenze465 · 11-03-2017, 07:27 AM

Quote:

Originally Posted by Turbocapitalist

No, but Debian itself seems to be heading that way the last decade. I moved to Devuan when it became available for the machines that would otherwise run Debian. It's identical to Debian for the moment except for a refreshing absence of systemd. You can find more here: www.devuan.org

From my limited understanding of systemd - it seems this new initiative is going to 'standardise' a lot of programs in different linux distros.
This is very good for simplifying stuff in the future, but it's bad for security.
A lot of debian people resigned when systemd was introduced.

Only the future can tell us if systemd will lead us to the dark side.
But as Master Yoda has said: 'There is another'.
And that is Devuan.

Quote:

Code:

$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

This is the output I get:

Code:

gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Sat 14 Oct 2017 16:49:25 BST using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found

gpg.conf is not active and my RSA key ID is different to yours. But I think everything's ok.

Quote:

Code:

gpg --keyserver=keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B

This is my output:

Code:

gpg --keyserver=keyring.debian.org --recv-keys 6294BE9B
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Quote:

Code:

gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B

This is what I get:

Code:

gpg --fingerprint 6294BE9B
pub   4096R/6294BE9B 2011-01-05
      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05

Quote:

Then you can try verifying the SHA512SUMS file with the key present:

Code:

gpg --verify SHA512SUMS.sign SHA512SUMSgpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST

This is what I get:

Code:

gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 16:49:25 BST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Quote:

See "web of trust" about the warning, but for now you've verified it as much as you can.

So it seems I have received a key from debian.org (RSA key ID 6294BE9B).
When I 'fingerprint' the key with gpg - it gives me another key: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B.
I can see both these numbers are on the link https://www.debian.org/CD/verify

Quote:

Then use the SHA512SUMS file to check the disc image:

Code:

sha512sum --ignore-missing -c SHA512SUMS

For some reason the '--ignore-missing' option is not recognised.
I get this:

Code:

sha512sum -c SHA512SUMSdebian-9.2.1-amd64-netinst.iso: OK

So does this mean the .iso file is ok via gpg and sha512sum?

Turbocapitalist · 11-03-2017, 07:41 AM

(I don't have anything good to say about systemd or, especially, about how it got where it is today. If you are interested in the power play that looks to be happening then some background reading can be found in the first of the "Halloween Documents". ESR has it hosted on his web site somewhere.)

Regarding the key the "6294BE9B" part of the fingerprint is too short to safely uniquely identify the key. So use only the full fingerprint. You'll see the short id in the tail end of the full fingerprint.

It looks like everything's ok in your methodology otherwise. So the SHA512SUM checks out with OpenPGP.

About --ignore missing with sha512sum, that option only hides complaints about files that are listed in SHA512SUMS but not present on the disk. Since they are not present, they don't need to be checked.

Code:

debian-9.2.1-amd64-netinst.iso: OK

Yes, that means that the disc image checks out with sha512sum.

firenze465 · 11-03-2017, 11:36 AM

Quote:

Originally Posted by Turbocapitalist

Regarding the key the "6294BE9B" part of the fingerprint is too short to safely uniquely identify the key. So use only the full fingerprint. You'll see the short id in the tail end of the full fingerprint.

I repeated the process with the long key and it gave me the same results.
The link is very helpful. Thank you very much.