LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-07-2016, 08:21 AM   #1
andrew.comly
Member
 
Registered: Dec 2012
Distribution: Trisquel-Mini 7.0, Lubuntu 14.04, Debian lxde 8.0
Posts: 308
Blog Entries: 2

Rep: Reputation: 16
Red face Can't find all necessary offical debian websites to verify iso


Can't Complete *.iso verification

I am trying to verify a debian iso. I would like to have an official hkp address so that I can verify debian 8..5 lxde amdx64 file authenticity and integrity. I have succeeded with the address eu.pool.sks-keyservers.net, but this is not an official debian url. Specifically I am executing the following commands from terminal:
Code:
   gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
   gpg: requesting key 6294BE9B from hkp server eu.pool.sks-keyservers.net
   gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
   gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
   gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
   gpg: Total number processed: 1
   gpg:               imported: 1  (RSA: 1)
Notice how this fails with 1) https://keyring.debian.org and 2) debian-cd@lists.debian.org :
Fail msg 1)
Code:
$  gpg --keyserver https://keyring.debian.org --recv-keys 0x6294BE9B
   gpg: requesting key 6294BE9B from https server keyring.debian.org
   gpgkeys: protocol 'https' not supported
   gpg: no handler for keyserver scheme 'https'
   gpg: keyserver receive failed: keyserver error
Fail msg 2)
Code:
$ gpg --keyserver debian-cd@lists.debian.org --recv-keys 0x6294BE9Bgpg: requesting key 6294BE9B from hkp server lists.debian.org?: lists.debian.org: Network is unreachablegpgkeys: HTTP fetch error 7: could not connect: Network is unreachable
gpg: no valid OpenPGP data found.gpg: Total number processed: 0
I am implementing the Verify ISO tutorial procedure found https://help.ubuntu.com/community/VerifyIsoHowto.

Procedure outline:
A) Download SHA256SUMS and SHA256SUMS.gpg from http://cdimage.debian.org/debian-cd/...64/iso-hybrid/

B) Get the key
. 1) Display what key was used to issue the signature
Code:
$  gpg --verify SHA256SUMS.sign SHA256SUMS
. 2) Obtain the public key from the Ubuntu key server
To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:
Code:
	$  gpg --keyserver eu.pool.sks-keyservers.net --recv-keys 0x6294BE9B
. 3) Verify the key fingerprints:
Code:
	$  gpg --list-keys --with-fingerprint 0x6294BE9B
C) Verify the signature
Code:
	$  gpg --verify SHA256SUMS.sign SHA256SUMS
D) Check the ISO
Code:
	$  sha256sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA256SUMS)
. This step really seems pointless. I have already checked the man pages for sha256sum and even commonly use the grep command, but I still am not clear what the hell this command is doing! More specifically, it can only be logical to have a command "cmd1" that checks two things against each other, thus commands should look like
Code:
cmd1 -option original new
or like the above two gpg commands
Code:
	$  gpg --list-keys --with-fingerprint 0x6294BE9B
	$  gpg --verify SHA256SUMS.sign SHA256SUMS
	<  gpg   (option) file1 file2  >
But the above "sha256sum -c <(grep..." line makes no sense since it is never specified what file it is checking the first checksum (debian-live-8.5.0-amd64-lxde-desktop.iso) against. It is just like an incomplete sentence. I really need help understanding sha256sum syntax and just what processes sha256sum is actually doing.


E) Burn iso to media
F) Check media drive still has same (https://help.ubuntu.com/community/HowToSHA256SUM)
Code:
	$  sudo fdisk -l                    (lookup location of burnt iso media)
	$  sudo sha256sum /dev/sdc1
Does Debian even have its own hkp website? Does anyone have a better way of verifying *.iso files?

Last edited by andrew.comly; 08-07-2016 at 06:47 PM. Reason: clarity
 
Old 08-07-2016, 01:38 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I found https://linuxconfig.org/how-to-verif...rect-signature
and it shows:
Code:
$ gpg --keyserver keyring.debian.org --recv 6294BE9B
Edit: Mon Aug 08, 2016 - 12:52:45 PM EDT
Today I got from that url below:
Code:
gpg --keyserver hkp://keyring.debian.org --recv 6294BE9B
and this too worked.

So, the URI is hkp://resource.server.tld

See if that helps.

Is this "you"?

Last edited by Habitual; 08-08-2016 at 11:53 AM.
 
1 members found this post helpful.
  


Reply

Tags
checksum, gpg, iso, key, verify


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't find all necessary offical debian websites to verify iso andrew.comly Linux - Security 2 08-07-2016 05:04 PM
[SOLVED] Where To Find a Debian Install (CDROM Iso-Hybrid Debian-Install) with EFI partition ? Xeratul Debian 14 08-09-2015 07:28 AM
[SOLVED] can't find debian iso image when trying to install from hard disk slackingclement Linux - Software 6 07-20-2011 09:16 PM
How do I verify the iso images Virtual Circuit Slackware - Installation 6 02-18-2008 10:17 AM
How to verify downloaded iso's ashwin_cse Fedora 1 06-27-2005 09:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration