Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: How to verify GPG of downloaded ISO?

  1. #1

    Default How to verify GPG of downloaded ISO?

    Hi,

    Download page at software.opensuse.org: Download openSUSE 12.1 says:

    gpg signature offers the most security as you can verify who signed it. It should be 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
    Who is that "It"? "It should be 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA"?
    As far as you don't know the public key you can't use "gpg --verify".

    What user should do to verify the signature? Shouldn't there be mentioned public key also?

    >gpg -v --verify openSUSE-12.1-DVD-x86_64.iso-1.asc openSUSE-12.1-DVD-x86_64.iso
    gpg: armor header: Version: GnuPG v1.0.7 (GNU/Linux)
    gpg: Signature made 11/13/11 00:56:03 using RSA key ID 307E3D54
    gpg: Can't check signature: public key not found

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,648
    Blog Entries
    3

    Default Re: How to verify GPG of downloaded ISO?

    Use: gpg --recv-key 307E3D54 to retrieve a copy of the key from the keyservers. This may require that you first configure suitable keyservers. Here's the basic info on the key:
    Code:
    % gpg --list-key 307E3D54
    pub   1024R/307E3D54 2006-03-21 [expires: 2014-05-03]
    uid                  SuSE Package Signing Key <build@suse.de>
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: How to verify GPG of downloaded ISO?

    Quote Originally Posted by nrickert View Post
    Use: gpg --recv-key 307E3D54 to retrieve a copy of the key from the keyservers.
    Thanks for the tip!
    Unfortunately, HKP is blocked by my organization firewall.
    Is there an official openSUSE web page (HTTP/HTTPS) that contains ASCII GPG public keys?

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,648
    Blog Entries
    3

    Default Re: How to verify GPG of downloaded ISO?

    If you are currently running 11.4, then you probably have that key on your system already.

    Try:
    Code:
    gpg --import /usr/lib/rpm/gnupg/suse-build-key.gpg
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5

    Default Re: How to verify GPG of downloaded ISO?

    Quote Originally Posted by nrickert View Post
    If you are currently running 11.4, then you probably have that key on your system already.
    No, I was running Windows

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2011-11-18 18:06, tosiara wrote:
    > Unfortunately, HKP is blocked by my organization firewall.


    Too bad.
    I think there are some key servers that use hhtp.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How to verify GPG of downloaded ISO?

    On 2011-11-18 18:06, tosiara wrote:
    > Unfortunately, HKP is blocked by my organization firewall.


    These are old, do not know if they work:

    #keyserver mailtogp-public-keys@keys.nl.pgp.net
    #keyserver ldap://pgp.surfnet.nl:11370
    #keyserver ldap://keyserver.pgp.com

    #keyserver ldap://pgp.rediris.es

    Or get the key at home.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  8. #8

    Default Re: How to verify GPG of downloaded ISO?

    There is a feature request already filed for this: https://features.opensuse.org/312047

    I hope some day openSUSE will provide official way to get public key.

  9. #9

    Default Re: How to verify GPG of downloaded ISO?

    Look, how Google does that:

    Key Details

    Download: https://dl-ssl.google.com/linux/linux_signing_key.pub
    Key ID: Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
    Fingerprint: 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
    Linux Software Repositories – Google

  10. #10

    Default Re: How to verify GPG of downloaded ISO?

    Quote Originally Posted by tosiara View Post
    There is a feature request already filed for this: https://features.opensuse.org/312047

    I hope some day openSUSE will provide official way to get public key.
    Yes, please vote up!

    You can view/delete/export keys with lskeys: http://forums.opensuse.org/english/o...ml#post2406130 Doesn't really help but at least, it shows you which of your keys have expired.

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •