[SOLVED] Verify ISO image: Checksum and gpg key

fanoflq · 05-17-2017, 01:33 PM

I downloaded Fedora Cinnamon 25 and then
verify using these instructions,
https://spins.fedoraproject.org/en/verify

I do checksum first.

Code:

~/Downloads $ curl https://getfedora.org/static/fedora.gpg | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 22218  100 22218    0     0  25413      0 --:--:-- --:--:-- --:--:-- 25392
gpg: key 3AD31D0B: "Fedora-SPARC (15) <fedora@fedoraproject.org>" not changed
gpg: key 81B46521: "Fedora (24) <fedora-24-primary@fedoraproject.org>" not changed
gpg: key 030D5AED: "Fedora Secondary (24) <fedora-24-secondary@fedoraproject.org>" not changed
gpg: key FDB19C98: "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>" not changed
gpg: key E372E838: "Fedora 25 Secondary (25) <fedora-25-secondary@fedoraproject.org>" not changed
gpg: key 64DAB85D: "Fedora 26 Primary (26) <fedora-26-primary@fedoraproject.org>" not changed
gpg: key 3B921D09: "Fedora 26 Secondary (26) <fedora-26-secondary@fedoraproject.org>" not changed
gpg: key F5282EE4: "Fedora 27 (27) <fedora-27@fedoraproject.org>" not changed
gpg: key 0608B895: "EPEL (6) <epel@fedoraproject.org>" not changed
gpg: key 352C64E5: "Fedora EPEL (7) <epel@fedoraproject.org>" not changed
gpg: Total number processed: 10
gpg:              unchanged: 10
~/Downloads $ gpg --verify-files Fedora-Cinnamon-Live-x86_64-25-1.3.iso 
gpg: no valid OpenPGP data found.


#I could not find fedora.gpg
~/Downloads $ sudo updatedb
~/Downloads $ locate fedora.gpg
#Returns nothing.

Checksum and sha256 do not work.
What did I missed?

fanoflq · 05-17-2017, 02:49 PM

Solution to self:

Download this

https://spins.fedoraproject.org/stat...86_64-CHECKSUM

file (Fedora-Spins-25-1.3-x86_64-CHECKSUM) by clicking button "Validate 64bits" from this page,

https://spins.fedoraproject.org/cinn..._64-25-1.3.iso.

Quote:

~/Downloads/fedora $ ls
Fedora-Cinnamon-Live-x86_64-25-1.3.iso
Fedora-Spins-25-1.3-x86_64-CHECKSUM

Then do these:

Code:

$ gpg --verify-files Fedora-Spins-25-1.3-x86_64-CHECKSUM 
gpg: Signature made Fri 18 Nov 2016 07:15:37 AM MST using RSA key ID FDB19C98
gpg: Good signature from "Fedora 25 Primary (25) <fedora-25-primary@fedoraproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98

$ sha256sum -c Fedora-Spins-25-1.3-x86_64-CHECKSUM
sha256sum: Fedora-LXDE-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-LXDE-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-Xfce-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-Xfce-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-SoaS-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-SoaS-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: Fedora-KDE-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-KDE-Live-x86_64-25-1.3.iso: FAILED open or read
Fedora-Cinnamon-Live-x86_64-25-1.3.iso: OK
sha256sum: Fedora-MATE_Compiz-Live-x86_64-25-1.3.iso: No such file or directory
Fedora-MATE_Compiz-Live-x86_64-25-1.3.iso: FAILED open or read
sha256sum: WARNING: 19 lines are improperly formatted
sha256sum: WARNING: 5 listed files could not be read

sundialsvcs · 05-18-2017, 07:24 AM

Just a further comment in-passing:

"Digest checksums," such as MD5 or SHAx, are only good enough today (IMHO ...) for files that you know from a trustworthy source. Otherwise, IMHO, it is crucial that they be digitally signed, i.e. using GPG.

"Digital signatures" check a message-digest payload (a digest checksum) that has been encrypted using a certain private-key. They verify that the payload can be decrypted using the public key, and then use a digest-algorithm to verify the decrypted digest. (And they should obtain that public key from a key-server.) This is intended to verify that the package was, indeed, prepared by someone who possessed that (secret) private key.