LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-17-2017, 01:33 PM   #1
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Rep: Reputation: Disabled
Verify ISO image: Checksum and gpg key


I downloaded Fedora Cinnamon 25 and then
verify using these instructions,
https://spins.fedoraproject.org/en/verify

I do checksum first.
Code:
~/Downloads $ curl https://getfedora.org/static/fedora.gpg | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 22218  100 22218    0     0  25413      0 --:--:-- --:--:-- --:--:-- 25392
gpg: key 3AD31D0B: "Fedora-SPARC (15) <fedora@fedoraproject.org>" not changed
gpg: key 81B46521: "Fedora (24) <fedora-24-primary@fedoraproject.org>" not changed
gpg: key 030D5AED: "Fedora Secondary (24) <fedora-24-secondary@fedoraproject.org>" not changed
gpg: key FDB19C98: "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>" not changed
gpg: key E372E838: "Fedora 25 Secondary (25) <fedora-25-secondary@fedoraproject.org>" not changed
gpg: key 64DAB85D: "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>" not changed
gpg: key 3B921D09: "Fedora 26 Secondary (26) <fedora-26-secondary@fedoraproject.org>" not changed
gpg: key F5282EE4: "Fedora 27 (27) <fedora-27@fedoraproject.org>" not changed
gpg: key 0608B895: "EPEL (6) <epel@fedoraproject.org>" not changed
gpg: key 352C64E5: "Fedora EPEL (7) <epel@fedoraproject.org>" not changed
gpg: Total number processed: 10
gpg:              unchanged: 10
~/Downloads $ gpg --verify-files Fedora-Cinnamon-Live-x86_64-25-1.3.iso 
gpg: no valid OpenPGP data found.


#I could not find fedora.gpg
~/Downloads $ sudo updatedb
~/Downloads $ locate fedora.gpg
#Returns nothing.
Checksum and sha256 do not work.
What did I missed?

Last edited by fanoflq; 05-17-2017 at 02:06 PM.
 
Old 05-17-2017, 02:49 PM   #2
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Talking

Solution to self:

Download this

https://spins.fedoraproject.org/stat...86_64-CHECKSUM

file (Fedora-Spins-25-1.3-x86_64-CHECKSUM) by clicking button "Validate 64bits" from this page,

https://spins.fedoraproject.org/cinn..._64-25-1.3.iso.

Quote:
~/Downloads/fedora $ ls
Fedora-Cinnamon-Live-x86_64-25-1.3.iso
Fedora-Spins-25-1.3-x86_64-CHECKSUM

Then do these:
Code:
$ gpg --verify-files Fedora-Spins-25-1.3-x86_64-CHECKSUM 
gpg: Signature made Fri 18 Nov 2016 07:15:37 AM MST using RSA key ID FDB19C98
gpg: Good signature from "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98

$ sha256sum -c Fedora-Spins-25-1.3-x86_64-CHECKSUM
sha256sum: Fedora-LXDE-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-LXDE-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-Xfce-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-Xfce-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-SoaS-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-SoaS-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-KDE-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-KDE-Live-x86_64-25-1.3.iso: FAILED open or read
Fedora-Cinnamon-Live-x86_64-25-1.3.iso: OK
sha256sum: Fedora-MATE_Compiz-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-MATE_Compiz-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: WARNING: 19 lines are improperly formatted
sha256sum: WARNING: 5 listed files could not be read

Last edited by fanoflq; 05-17-2017 at 02:50 PM.
 
Old 05-18-2017, 07:24 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,240
Blog Entries: 4

Rep: Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263
Just a further comment in-passing:

"Digest checksums," such as MD5 or SHAx, are only good enough today (IMHO ...) for files that you know from a trustworthy source. Otherwise, IMHO, it is crucial that they be digitally signed, i.e. using GPG.

"Digital signatures" check a message-digest payload (a digest checksum) that has been encrypted using a certain private-key. They verify that the payload can be decrypted using the public key, and then use a digest-algorithm to verify the decrypted digest. (And they should obtain that public key from a key-server.) This is intended to verify that the package was, indeed, prepared by someone who possessed that (secret) private key.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tumbleweed gpg --verify: error: no public key?!? JZL240I-U Linux - Software 2 04-24-2017 12:22 PM
confused about gpg checksum verification procedure for debian iso JacekZ Debian 4 02-11-2014 01:13 AM
How to verify a package if the GPG key has been revoked 0x53h Linux - Software 4 06-11-2012 12:48 PM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Cant verify checksum off ISO file after downloading with Win XP Firefox idros Linux - Newbie 2 09-25-2004 07:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration