gpg key for iso verification

CzLaz · October 26, 2012, 9:15am

I have tried to use the gpg verification as mentioned on the download page. Downloaded the public key
from the server. However when I verify the iso, I get a message stating that the key is unsigned, and therefore unreliable. Could someone let me know where I can get a signed key for this procedure?
Thank you.

user · October 26, 2012, 10:10am

On 10/26/2012 09:16 AM, CzLaz wrote:
>
> where I can get a signed key for this procedure?

i do not know the answer to that question, but in my opinion the best
way to ensure you have an exact byte by byte and and therefore
trustworthy image is to download from http://software.opensuse.org/
both the iso and the “md5 checksum” (or “sha 1 checksum”, your choice)
and compare it with the locally calculated results as described here:
http://en.opensuse.org/SDB:Download_help#Checksums

–
dd

buckesfeld · October 26, 2012, 10:19am

CzLaz,

frankly, I never did that. The checksum verification (md5) is sufficient. The goal is to make sure the file downloaded is okay and not damaged, that’s pretty much it.
Why do you need a signed key? Any suspicions the ISO has been tampered with?

Uwe

robin_listas · October 26, 2012, 2:56pm

On 2012-10-26 10:19, Uwe Buckesfeld wrote:
> * CzLaz,
>
> frankly, I never did that. The checksum verification (md5) is sufficient. The goal is to make sure
> the file downloaded is okay and not damaged, that’s pretty much it.
> Why do you need a signed key? Any suspicions the ISO has been tampered with?

The best method to verify download and that there is no tampering by a rogue mirror is, effectively,
the gpg signature.

OP: About the message that the key is not signed, it is of course correct, and no, you can not get
another signed key - the question itself means that you have not read or understood how the signing
or chain of trust works with gpg. Ultimately, it is you yourself who has to sign the key, or another
key from somebody else that signs another key from somebody else that signs another key from
somebody else that signs another key from somebody else that signs another key… till somebody in
the chain signs the openSUSE key.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

nrickert · October 26, 2012, 6:50pm

This is the one drawback of gpg. In order for it to work, the key has to be signed with a trusted signature.

For me, it is signed with a trusted signature. That is, I signed it myself (with a local non-exportable signature for my own use). So now I don’t have that problem, until they change the signing key.

You can use the key id, to search for the key on public keyservers. Perhaps the copy you pickup there will already have a signature that you trust. Otherwise, you at some time you have to make a decision yourself on trusting the signing key, and then add your own signature (as I did).

Here’s one way of getting started:

1: Download the iso.
2: Get the md5sum and sha256sum or whatever.
3: Get the gpg signature.
4: Check the signatures and checksums, and see if they match.
5: Wait for two or three weeks. Then check back, and make sure that the listed checksums and gpg signature are the same as when you downloaded. If they are, and if you are sure that you are at the correct site, then you are good to go. You can now add your signature to the signing key for future use.

The rationale - the main risks are that you might be at the wrong site (so double check that), or that hackers might have broken into the site and put up a bogus iso with checksums to match. The waiting a few weeks, then rechecking, makes that unlikely.

And once you are confident, then adding your own signature to the signing key (to just the copy in your keyring) makes it easier to be sure the next time.

CzLaz · October 26, 2012, 10:58pm

Hi buckesfeld.
As long as the download is from openSUSE itself, you are right, as both MD5 and SHA1 will verify that what arrived via download was what was sent. Should you download from a third party server, the picture changes. The iso could be altered, and and MD5/SHA1 checksum issued to match. To the best of my understanding, gpg goes a step further, by authenticating the original package itself.
I’m not worried about it, as I am content to obtain iso’s from openSUSE itself, my objective was to learn about the process itself. The unsigned key issue strikes me as a weakness in the system.

CzLaz · October 26, 2012, 11:10pm

Actually, I did try to read all about gpg, and found it pretty hard to digest. I was struck by the unsigned key issue, because it represents a weakness to me. Allowing outsiders like me to do the signing hardly inspires confidence.
Fedora has seen fit to make available their signed keys from their own servers, and I thought openSUSE would have done the same.

Thanks for your input
Laz

CzLaz · October 26, 2012, 11:29pm

Thank you for your detailed response, it is much appreciated. This is a learning excercise for me, the first time I had a look at the gpg verification. I find it odd that a security procedure should rely on an unsigned key. While the expert gurus may laugh at the idea of being redirected to rogue servers, it is a possibility for the ordinary Joe. If so, how hard would it be for a circle of black hats to sign a key?

nrickert · October 26, 2012, 11:40pm

Actually, it is no weaker than using an md5sum. It is just that gpg warns you of the weakness, while md5sum doesn’t.

Allowing outsiders like me to do the signing hardly inspires confidence.

That’s the way that gpg (and PGP) have always worked.

Anybody can sign any key. But a signature on a key is worthless unless you trust the signer. That you can sign the opensuse key does nothing for me, because I am not currently trusting your key. That I have signed my own copy of the opensuse key likewise does nothing for you, because you don’t trust my key.

If you sign the key, that is your way of telling the software that you trust it. That works, because presumably you trust yourself as signer.

Fedora has seen fit to make available their signed keys from their own servers, and I thought openSUSE would have done the same.

That Fedora has signed its keys does not do anything for you, unless you have already trusted the Fedora signing keys. So you probably still need to sign the Fedora key yourself.

The opensuse signing key is probably available from public keyservers, and perhaps from a suse site somewhere.

I currently have the following suse keys in my keyring:


% gpg --list-keys suse
pub   2048R/3D25D3D9 1999-03-06
uid                  SuSE Security Team <security@suse.de>

pub   1024D/9C800ACA 2000-10-19 [expires: 2014-05-03]
uid                  SuSE Package Signing Key <build@suse.de>
sub   2048g/8495160C 2000-10-19 [expires: 2014-05-03]

pub   1024D/000AABA4 2000-12-18
uid                  Roman Drahtmueller <draht@suse.de>
sub   1024g/B4465B57 2000-12-18

pub   1024R/307E3D54 2006-03-21 [expires: 2014-05-03]
uid                  SuSE Package Signing Key <build@suse.de>

pub   1024D/629FF0C2 2008-01-22 [expired: 2010-04-01]
uid                  GNOME OBS Project <GNOME@build.opensuse.org>

pub   2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
uid                  openSUSE Project Signing Key <opensuse@opensuse.org>

I see that one of those has expired, though it is harmless to leave it on my keyring.

I’ll grant that the learning curve for gpg is a bit steep.

robin_listas · October 26, 2012, 11:56pm

On 2012-10-26 23:16, CzLaz wrote:

>
> Actually, I did try to read all about gpg, and found it pretty hard to
> digest.

There is a howto doc somewhere that is easier.

> I was struck by the unsigned key issue, because it represents a
> weakness to me. Allowing outsiders like me to do the signing hardly
> inspires confidence.

Well, it is a free, open, model.

> Fedora has seen fit to make available their signed keys from their own
> servers, and I thought openSUSE would have done the same.

So does openSUSE. Those keys are usually signed by devs and managers from SUSE - but all that is
moot, the key is unsigned until YOU sign it. ‘You’ is who matters for the software that does the
checking, not the signature by the projec manager, or linus Torvalds himself. YOU have to sign their
keys…

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

robin_listas · October 26, 2012, 11:56pm

On 2012-10-26 23:36, CzLaz wrote:
> Thank you for your detailed response, it is much appreciated. This is
> a learning excercise for me, the first time I had a look at the gpg
> verification. I find it odd that a security procedure should rely on an
> unsigned key. While the expert gurus may laugh at the idea of being
> redirected to rogue servers, it is a possibility for the ordinary Joe.
> If so, how hard would it be for a circle of black hats to sign a key?

Get them all in the same room, with you. Until you sign them keys, they are bad.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

CzLaz · October 27, 2012, 9:21am

[Anybody can sign any key. But a signature on a key is worthless unless you trust the signer. That you can sign the opensuse key does nothing for me, because I am not currently trusting your key. That I have signed my own copy of the opensuse key likewise does nothing for you, because you don’t trust my key.
[/QUOTE]

Well, that’s just the point. While gpg works wonders for personal communications where all participants are known to each other, the same can’t be said when the key is sent out into the wild, and anyone can sign it.
Under the circumstances as far as I’m concerned gpg is no more secure than MD5 or SHA hash verificaton methods, provided the file source can be trusted.

CzLaz · October 27, 2012, 9:33am

[There is a howto doc somewhere that is easier.

Yes I found it, it’s at gnupg.org

Well, it is a free, open, model.

True, but it really wasn’t designed for this purpose. In fact the manual refers to emails and such, which would involve a closed circle. (Keyring?)

So does openSUSE. Those keys are usually signed by devs and managers from SUSE - but all that is
moot, the key is unsigned until YOU sign it. ‘You’ is who matters for the software that does the
checking, not the signature by the projec manager, or linus Torvalds himself. YOU have to sign their
keys…[/QUOTE]
I can sign it, that’s no problem, but who’s to say it was the real McCoy?
Anyway, it was a good excercise, and I thank you, and all others for your responses.

robin_listas · October 27, 2012, 12:40pm

On 2012-10-27 09:36, CzLaz wrote:

> I can sign it, that’s no problem, but who’s to say it was the real
> McCoy?

Then don’t sign it - I don’t sign any keys

> Anyway, it was a good excercise, and I thank you, and all others for your
> responses.

Consider that the alternative costs money.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

robin_listas · October 27, 2012, 12:40pm

On 2012-10-27 09:26, CzLaz wrote:

> Well, that’s just the point. While gpg works wonders for personal
> communications where all participants are known to each other, the same
> can’t be said when the key is sent out into the wild, and anyone can sign
> it.

Anyone known to me, or known to somebody known to me. Unknown people are ignored.

> Under the circumstances as far as I’m concerned gpg is no more secure
> than MD5 or SHA hash verificaton methods, provided the file source can be
> trusted.

MD5 can be bypassed. You can create an ISO file intentionally with the same checksum, and different
content.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

nrickert · October 27, 2012, 8:06pm

But that’s a mistaken way of looking at it.

If you start without prior knowledge of the gpg key, then the first time you download an iso from opensuse, the gpg signature is no safer than an MD5 check.

However, if you have once gone to the trouble of checking whether it was a safe download, you can now sign the key. And in future, you will be better off with the gpg signature check because you already have a basis for trusting that signature. But the MD5 or similar check is just as risky the second time as the first.