Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: How to verify GPG of downloaded ISO?

  1. #11
    Join Date
    Nov 2011
    Location
    Baton Rouge, LA US
    Posts
    33

    Default Re: How to verify GPG of downloaded ISO?

    I was looking for how to do this today. First I voted up for the feature request. Also found this:

    SDB:Check the validity of a SUSE RPM or ISO file - openSUSE

    Can't try it until download finishes. And I'm downloading in Mandriva 2010.2 so we'll see...

  2. #12
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,641
    Blog Entries
    3

    Default Re: How to verify GPG of downloaded ISO?

    I downloaded the iso files for 12.2 RC1 this morning. They were signed with key 0x3DBDC284 openSUSE Project Signing Key. I used aria2c to download the DVD isos, and that download left behind a ".sig" file containing the signature. Whether aria2c does that seems to depend on how the meta4 file is prepared.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #13
    Join Date
    Nov 2011
    Location
    Baton Rouge, LA US
    Posts
    33

    Lightbulb Re: How to verify GPG of downloaded ISO?

    I'm not an expert but I think this *may* be how to do this. Would like confirmation from someone more knowledgeable.

    Using:

    How to Verify the PGP Signature Under Linux


    I got this result with openSuSE 12.2 RC1 x86_64.

    Code:
    $ gpg --verify openSUSE-DVD-Build0050-x86_64.iso.asc openSUSE-DVD-Build0050-x86_64.iso
    gpg: Signature made Wed 11 Jul 2012 08:08:33 AM CDT using RSA key ID 3DBDC284
    gpg: Can't check signature: public key not found
    
    $ gpg --keyserver pgp.mit.edu --recv-key 3DBDC284
    gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu
    gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    
    $ gpg --fingerprint 3DBDC284
    pub   2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
          Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
    uid                  openSUSE Project Signing Key <opensuse@opensuse.org>
    
    $ gpg --verify openSUSE-DVD-Build0050-x86_64.iso.asc openSUSE-DVD-Build0050-x86_64.iso
    gpg: Signature made Wed 11 Jul 2012 08:08:33 AM CDT using RSA key ID 3DBDC284
    gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284


    Another keyserver is blackhole.pca.dfn.de.

    Note this key fingerprint is different from the one listed here:

    software.opensuse.org: Download openSUSE 12.2 RC 1

    But I *think* that fingerprint is for openSuSE 12.1 stable.

    FWIW: If I am correct this should be better explained in the wiki page:

    http://tr.opensuse.org/SDB:Check_the_validity_of_a_SUSE_RPM_or_ISO_file
    Last edited by benbullard79; 13-Jul-2012 at 10:43. Reason: Spelling.

  4. #14
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2012-07-13 19:46, benbullard79 wrote:
    > Note this key fingerprint is different from the one listed here:


    And that's a security bug you can report in the security mail list, for
    example :-)

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)



  5. #15
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2012-07-13 19:46, benbullard79 wrote:
    >
    > I'm not an expert but I think this *may* be how to do this. Would like
    > confirmation from someone more knowledgeable.


    I get the same result. I have posted the issue to the factory mail list.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)



  6. #16

    Default Re: How to verify GPG of downloaded ISO?

    I tried to verify the x64 version of 13.2 opensuse

    - I imported to key mentioned above

    gpg --keyserver pgp.mit.edu --recv-key 307E3D54
    gpg: fordere Schlüssel 307E3D54 von hkp-Server pgp.mit.edu an
    gpg: Schlüssel 307E3D54: Öffentlicher Schlüssel "SuSE Package Signing Key <build@suse.de>" importiert
    gpg: 3 marginal-needed, 1 complete-needed, PGP Vertrauensmodell
    gpg: Tiefe: 0 gültig: 4 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 4u
    gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2019-08-11
    gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
    gpg: importiert: 1 (RSA: 1)

    - Tried to verify the download

    gpg --verify openSUSE-13.2-DVD-x86_64.iso.asc openSUSE-13.2-DVD-x86_64.iso
    gpg: Signatur vom Di 04 Nov 2014 13:33:09 CET mittels RSA-Schlüssel ID 3DBDC284
    gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel


    - Downloaded the key mentioned in the error message

    gpg --keyserver pgp.mit.edu --recv-key 3DBDC284gpg: fordere Schlüssel 3DBDC284 von hkp-Server pgp.mit.edu an
    gpg: Schlüssel 3DBDC284: Öffentlicher Schlüssel "openSUSE Project Signing Key <opensuse@opensuse.org>" importiert
    gpg: 3 marginal-needed, 1 complete-needed, PGP Vertrauensmodell
    gpg: Tiefe: 0 gültig: 4 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 4u
    gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2019-08-11
    gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
    gpg: importiert: 1 (RSA: 1)


    - Verified the downloaded .iso against this key

    gpg --verify openSUSE-13.2-DVD-x86_64.iso.asc openSUSE-13.2-DVD-x86_64.iso
    gpg: Signatur vom Di 04 Nov 2014 13:33:09 CET mittels RSA-Schlüssel ID 3DBDC284
    gpg: Korrekte Signatur von "openSUSE Project Signing Key <opensuse@opensuse.org>"
    gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
    gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
    Haupt-Fingerabdruck = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

    NO trustworthy signature for the opensuse build key? REALLY? In the end of year 2014? After Snowden, heartbleed, POODLE, openSSL and whatever you can imagine?

    I can't believe that, tell me I made a mistake, please...

  7. #17
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2014-11-05 08:36, suse rasputin wrote:

    ....

    > gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem
    > vorgeblichen Besitzer gehört.
    > Haupt-Fingerabdruck = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD
    > C284
    >
    > NO trustworthy signature for the opensuse build key? REALLY? In the end
    > of year 2014? After Snowden, heartbleed, POODLE, openSSL and whatever
    > you can imagine?


    Next time, please post the command results in English and inside a code tags block. I can not read any of the above. Guessing, you did not sign the key, so it is untrusted - by you!


    Comment 1) When pasting here computer commands and such, please use a CODE BLOCK, so that the forum software doesn't do silly things like converting URLS to tiny urls, wrap lines, or otherwise hide or alter the commands you entered. You get them by clicking on the '#' button in the forum editor.



    Comment 2) When the system language is not English, you should do,
    in order to post here, like this:

    Code:
    minas-tirith:~ # LANG=C zypper lr --details
    ....
    or this:

    Code:
    minas-tirith:~ # LANG=en_US.UTF-8 zypper info kvm
    Loading repository data...
    Warning: Repository 'openSUSE-11.4-Update' appears to outdated. Consider
    using a different mirror or server.
    Reading installed packages...

    That way we can all read it, regardless of local languages of sender and
    reader. It is not a permanent change, it only applies to one command.




    So, I'll do the test myself.


    cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
    gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
    gpg: Can't check signature: No public key
    cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --recv-keys 9C800ACA
    gpg: requesting key 9C800ACA from hkp server pgp.mit.edu
    gpg: key 9C800ACA: public key "SuSE Package Signing Key <build@suse.de>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1
    cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
    gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
    gpg: Good signature from "SuSE Package Signing Key <build@suse.de>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
    cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2>


    In that computer the keys are unsigned. Let's try on another on which they are.


    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
    gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
    gpg: Good signature from "SuSE Package Signing Key <build@suse.de>"
    gpg: Note: This key has expired!
    Primary key fingerprint: 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>


    Expired?

    Maybe I have an old copy. So let's try download it again.


    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --recv-keys 9C800ACA
    gpg: requesting key 9C800ACA from hkp server pgp.mit.edu
    gpg: key 9C800ACA: "SuSE Package Signing Key <build@suse.de>" 2 new signatures
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0 valid: 4 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 4u
    gpg: depth: 1 valid: 3 signed: 4 trust: 0-, 0q, 0n, 1m, 2f, 0u
    gpg: depth: 2 valid: 4 signed: 11 trust: 0-, 0q, 0n, 0m, 4f, 0u
    gpg: depth: 3 valid: 8 signed: 5 trust: 3-, 2q, 0n, 1m, 2f, 0u
    gpg: depth: 4 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 1f, 0u
    gpg: next trustdb check due at 2018-03-17
    gpg: Total number processed: 1
    gpg: new signatures: 2
    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>


    And check the download:


    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
    gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
    gpg: Good signature from "SuSE Package Signing Key <build@suse.de>"
    cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>


    So, all is good. :-)


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #18

    Default Re: How to verify GPG of downloaded ISO?

    Dear robin!

    Thank you for your quick reply.

    Hmmm, but you didn't use the code block in your reply, either?

    (sorry, but the error messages of gpg are quite the same, no matter what the language is and google is your friend, even translate).

    Anyways, why is your copy of 13.2 signed with an other key as my copy? opensuse@opensuse.org 3DBDC284 vs. build@opensuse.org 9C800ACA?

    The signature of my copy was virtually made at the time of downloading the copy, while yours was signed at 2014-30-10


    "In that computer the keys are unsigned. Let's try on another on which they are"

    So basically my computer is "untrusted", what would be the way to get it "trust" the opensuse key? Even more so as the key is apparently not the same as the one used by opensuse in the past?

    If I have to download the key manually and apply trust to the key without knowing where it REALLY belongs to the whole verification is useless, as anybody could exchange the key on the fly while I download it.

    Kindest regards

    rasputin

  9. #19

    Default Re: How to verify GPG of downloaded ISO?

    PS: When I try to find the key at

    https://pgp.mit.edu/

    I get

    Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /pks/lookup.
    Reason: Error reading from remote server

    ...for both, the key ID 3DBDC284 as well as for the search string "opensuse@opensuse.org"


    PPS: After some more tries I found

    pub 2048R/3DBDC284 2008-11-07

    uid openSUSE Project Signing Key <opensuse@opensuse.org>
    sig sig3 3DBDC284 2008-11-07 __________ 2010-11-07 [selfsig]
    sig sig3 3DBDC284 2010-05-05 __________ 2014-05-04 [selfsig]
    sig sig 0175623E 2012-08-23 __________ __________ Marcus Meissner <meissner@suse.de>
    sig sig 3D25D3D9 2012-08-23 __________ __________ SuSE Security Team <security@suse.de>
    sig sig 30B94B5C 2013-05-04 __________ __________ 楊士青 (Yang Shih-Ching) <imacat@mail.imacat.idv.tw>
    sig sig 920E6F97 2013-08-15 __________ __________ []
    sig sig D1E3EBDD 2014-02-11 __________ __________ Sebastian Weber <s.wbr@gmx.de>
    sig sig3 3DBDC284 2014-05-05 __________ 2024-05-02 [selfsig]

  10. #20
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2014-11-05 09:56, suse rasputin wrote:
    >
    > Dear robin!
    >
    > Thank you for your quick reply.
    >
    > Hmmm, but you didn't use the code block in your reply, either?


    Not all of it. I forgot on part of it. Nntp is different than web side.


    > (sorry, but the error messages of gpg are quite the same, no matter what
    > the language is and google is your friend, even translate).


    You are at advantage there, you can read both languages. I can't. And
    google does an horrible job with computer messages.



    > Anyways, why is your copy of 13.2 signed with an other key as my copy?
    > opensuse@opensuse.org 3DBDC284 vs. build@opensuse.org 9C800ACA?


    Dunno. Maybe because I tested the CD?



    > "In that computer the keys are unsigned. Let's try on another on which
    > they are"
    >
    > So basically my computer is "untrusted",


    No, YOU, rasputin, trust the keys and sign them. Not the computer.
    Please read up how PGP works.


    > If I have to download the key manually and apply trust to the key
    > without knowing where it REALLY belongs to the whole verification is
    > useless, as anybody could exchange the key on the fly while I download
    > it.


    Absolutely.

    But not anybody, but somebody in the position and with the resources to
    do so.

    But in this particular case, the fingerprint is published somewhere.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •