How to verify GPG of downloaded ISO?

Hi,

Download page at software.opensuse.org: Download openSUSE 12.1 says:

gpg signature offers the most security as you can verify who signed it. It should be 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA

Who is that “It”? “It should be 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA”?
As far as you don’t know the public key you can’t use “gpg --verify”.

What user should do to verify the signature? Shouldn’t there be mentioned public key also?

>gpg -v --verify openSUSE-12.1-DVD-x86_64.iso-1.asc openSUSE-12.1-DVD-x86_64.iso
gpg: armor header: Version: GnuPG v1.0.7 (GNU/Linux)
gpg: Signature made 11/13/11 00:56:03 using RSA key ID 307E3D54
gpg: Can’t check signature: public key not found

Use: gpg --recv-key 307E3D54 to retrieve a copy of the key from the keyservers. This may require that you first configure suitable keyservers. Here’s the basic info on the key:


% gpg --list-key 307E3D54
pub   1024R/307E3D54 2006-03-21 [expires: 2014-05-03]
uid                  SuSE Package Signing Key <build@suse.de>

Thanks for the tip!
Unfortunately, HKP is blocked by my organization firewall.
Is there an official openSUSE web page (HTTP/HTTPS) that contains ASCII GPG public keys?

If you are currently running 11.4, then you probably have that key on your system already.

Try:


gpg --import /usr/lib/rpm/gnupg/suse-build-key.gpg

No, I was running Windows

On 2011-11-18 18:06, tosiara wrote:
> Unfortunately, HKP is blocked by my organization firewall.

Too bad.
I think there are some key servers that use hhtp.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-11-18 18:06, tosiara wrote:
> Unfortunately, HKP is blocked by my organization firewall.

These are old, do not know if they work:

#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
#keyserver ldap://pgp.surfnet.nl:11370
#keyserver ldap://keyserver.pgp.com

#keyserver ldap://pgp.rediris.es

Or get the key at home.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

There is a feature request already filed for this: https://features.opensuse.org/312047

I hope some day openSUSE will provide official way to get public key.

Look, how Google does that:

Key Details

Download: https://dl-ssl.google.com/linux/linux_signing_key.pub
Key ID: Google, Inc. Linux Package Signing Key &lt;linux-packages-keymaster@google.com&gt;
Fingerprint: 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991

Linux Software Repositories – Google

Yes, please vote up!

You can view/delete/export keys with lskeys: http://forums.opensuse.org/english/other-forums/development/programming-scripting/467014-list-export-remove-rpm-gpg-keys.html#post2406130 Doesn’t really help but at least, it shows you which of your keys have expired.

I was looking for how to do this today. First I voted up for the feature request. Also found this:

SDB:Check the validity of a SUSE RPM or ISO file - openSUSE

Can’t try it until download finishes. And I’m downloading in Mandriva 2010.2 so we’ll see…

I downloaded the iso files for 12.2 RC1 this morning. They were signed with key 0x3DBDC284 openSUSE Project Signing Key. I used aria2c to download the DVD isos, and that download left behind a “.sig” file containing the signature. Whether aria2c does that seems to depend on how the meta4 file is prepared.

I’m not an expert but I think this may be how to do this. Would like confirmation from someone more knowledgeable.

Using:How to Verify the PGP Signature Under Linux

I got this result with openSuSE 12.2 RC1 x86_64.

$ gpg --verify openSUSE-DVD-Build0050-x86_64.iso.asc openSUSE-DVD-Build0050-x86_64.iso
gpg: Signature made Wed 11 Jul 2012 08:08:33 AM CDT using RSA key ID 3DBDC284
gpg: Can't check signature: public key not found

$ gpg --keyserver pgp.mit.edu --recv-key 3DBDC284
gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --fingerprint 3DBDC284
pub   2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
      Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
uid                  openSUSE Project Signing Key <opensuse@opensuse.org>

$ gpg --verify openSUSE-DVD-Build0050-x86_64.iso.asc openSUSE-DVD-Build0050-x86_64.iso
gpg: Signature made Wed 11 Jul 2012 08:08:33 AM CDT using RSA key ID 3DBDC284
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284

:slight_smile:

Another keyserver is blackhole.pca.dfn.de.

Note this key fingerprint is different from the one listed here:

software.opensuse.org: Download openSUSE 12.2 RC 1

But I think that fingerprint is for openSuSE 12.1 stable.

FWIW: If I am correct this should be better explained in the wiki page:

http://tr.opensuse.org/SDB:Check_the_validity_of_a_SUSE_RPM_or_ISO_file

On 2012-07-13 19:46, benbullard79 wrote:
> Note this key fingerprint is different from the one listed here:

And that’s a security bug you can report in the security mail list, for
example :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-07-13 19:46, benbullard79 wrote:
>
> I’m not an expert but I think this may be how to do this. Would like
> confirmation from someone more knowledgeable.

I get the same result. I have posted the issue to the factory mail list.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I tried to verify the x64 version of 13.2 opensuse

  • I imported to key mentioned above

gpg --keyserver pgp.mit.edu --recv-key 307E3D54
gpg: fordere Schlüssel 307E3D54 von hkp-Server pgp.mit.edu an
gpg: Schlüssel 307E3D54: Öffentlicher Schlüssel “SuSE Package Signing Key <build@suse.de>” importiert
gpg: 3 marginal-needed, 1 complete-needed, PGP Vertrauensmodell
gpg: Tiefe: 0 gültig: 4 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 4u
gpg: nächste “Trust-DB”-Pflichtüberprüfung am 2019-08-11
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1 (RSA: 1)

  • Tried to verify the download

gpg --verify openSUSE-13.2-DVD-x86_64.iso.asc openSUSE-13.2-DVD-x86_64.iso
gpg: Signatur vom Di 04 Nov 2014 13:33:09 CET mittels RSA-Schlüssel ID 3DBDC284
gpg: Signatur kann nicht geprüft werden: Kein öffentlicher Schlüssel

  • Downloaded the key mentioned in the error message

gpg --keyserver pgp.mit.edu --recv-key 3DBDC284gpg: fordere Schlüssel 3DBDC284 von hkp-Server pgp.mit.edu an
gpg: Schlüssel 3DBDC284: Öffentlicher Schlüssel “openSUSE Project Signing Key <opensuse@opensuse.org>” importiert
gpg: 3 marginal-needed, 1 complete-needed, PGP Vertrauensmodell
gpg: Tiefe: 0 gültig: 4 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 4u
gpg: nächste “Trust-DB”-Pflichtüberprüfung am 2019-08-11
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1 (RSA: 1)

  • Verified the downloaded .iso against this key

gpg --verify openSUSE-13.2-DVD-x86_64.iso.asc openSUSE-13.2-DVD-x86_64.iso
gpg: Signatur vom Di 04 Nov 2014 13:33:09 CET mittels RSA-Schlüssel ID 3DBDC284
gpg: Korrekte Signatur von “openSUSE Project Signing Key <opensuse@opensuse.org>”
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284

NO trustworthy signature for the opensuse build key? REALLY? In the end of year 2014? After Snowden, heartbleed, POODLE, openSSL and whatever you can imagine?

I can’t believe that, tell me I made a mistake, please…

On 2014-11-05 08:36, suse rasputin wrote:

> gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem
> vorgeblichen Besitzer gehört.
> Haupt-Fingerabdruck = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD
> C284
>
> NO trustworthy signature for the opensuse build key? REALLY? In the end
> of year 2014? After Snowden, heartbleed, POODLE, openSSL and whatever
> you can imagine?

Next time, please post the command results in English and inside a code tags block. I can not read any of the above. Guessing, you did not sign the key, so it is untrusted - by you!

Comment 1) When pasting here computer commands and such, please use a CODE BLOCK, so that the forum software doesn’t do silly things like converting URLS to tiny urls, wrap lines, or otherwise hide or alter the commands you entered. You get them by clicking on the ‘#’ button in the forum editor.
http://susepaste.org/images/15093674.jpg

Comment 2) When the system language is not English, you should do,
in order to post here, like this:


minas-tirith:~ # LANG=C zypper lr --details
....

or this:


minas-tirith:~ # LANG=en_US.UTF-8 zypper info kvm
Loading repository data...
Warning: Repository 'openSUSE-11.4-Update' appears to outdated. Consider
using a different mirror or server.
Reading installed packages...

That way we can all read it, regardless of local languages of sender and
reader. It is not a permanent change, it only applies to one command.

So, I’ll do the test myself.

cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
gpg: Can’t check signature: No public key
cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --recv-keys 9C800ACA
gpg: requesting key 9C800ACA from hkp server pgp.mit.edu
gpg: key 9C800ACA: public key “SuSE Package Signing Key <build@suse.de>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
gpg: Good signature from “SuSE Package Signing Key <build@suse.de>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
cer@AmonLanc:/data/hoard/Downloads.cer/isos/oS_13.2>

In that computer the keys are unsigned. Let’s try on another on which they are.

cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
gpg: Good signature from “SuSE Package Signing Key <build@suse.de>”
gpg: Note: This key has expired!
Primary key fingerprint: 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>

Expired?

Maybe I have an old copy. So let’s try download it again.

cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --recv-keys 9C800ACA
gpg: requesting key 9C800ACA from hkp server pgp.mit.edu
gpg: key 9C800ACA: “SuSE Package Signing Key <build@suse.de>” 2 new signatures
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 4 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 3 signed: 4 trust: 0-, 0q, 0n, 1m, 2f, 0u
gpg: depth: 2 valid: 4 signed: 11 trust: 0-, 0q, 0n, 0m, 4f, 0u
gpg: depth: 3 valid: 8 signed: 5 trust: 3-, 2q, 0n, 1m, 2f, 0u
gpg: depth: 4 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2018-03-17
gpg: Total number processed: 1
gpg: new signatures: 2
cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>

And check the download:

cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2> gpg --verify openSUSE-13.2-Rescue-CD-x86_64.iso.sig
gpg: Signature made 2014-10-30T16:21:39 CET using DSA key ID 9C800ACA
gpg: Good signature from “SuSE Package Signing Key <build@suse.de>”
cer@Telcontar:/data/hoard/Downloads.cer/isos/oS_13.2>

So, all is good. :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Dear robin!

Thank you for your quick reply.

Hmmm, but you didn’t use the code block in your reply, either?

(sorry, but the error messages of gpg are quite the same, no matter what the language is and google is your friend, even translate).

Anyways, why is your copy of 13.2 signed with an other key as my copy? opensuse@opensuse.org 3DBDC284 vs. build@opensuse.org 9C800ACA?

The signature of my copy was virtually made at the time of downloading the copy, while yours was signed at 2014-30-10

“In that computer the keys are unsigned. Let’s try on another on which they are”

So basically my computer is “untrusted”, what would be the way to get it “trust” the opensuse key? Even more so as the key is apparently not the same as the one used by opensuse in the past?

If I have to download the key manually and apply trust to the key without knowing where it REALLY belongs to the whole verification is useless, as anybody could exchange the key on the fly while I download it.

Kindest regards

rasputin

PS: When I try to find the key at

https://pgp.mit.edu/

I get

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /pks/lookup.
Reason: Error reading from remote server

…for both, the key ID 3DBDC284 as well as for the search string “opensuse@opensuse.org

PPS: After some more tries I found

pub 2048R/3DBDC284 2008-11-07

uid openSUSE Project Signing Key <opensuse@opensuse.org>
sig sig3 3DBDC284 2008-11-07 __________ 2010-11-07 [selfsig]](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB88B2FD43DBDC284)
sig sig3 3DBDC284 2010-05-05 __________ 2014-05-04 [selfsig]](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB88B2FD43DBDC284)
sig sig 0175623E 2012-08-23 __________ __________ Marcus Meissner <meissner@suse.de>
sig sig 3D25D3D9 2012-08-23 __________ __________ SuSE Security Team <security@suse.de>
sig sig 30B94B5C 2013-05-04 __________ __________ 楊士青 (Yang Shih-Ching) <imacat@mail.imacat.idv.tw>](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x8BD82E6F30B94B5C)
sig sig 920E6F97 2013-08-15 __________ __________ ]](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x1C2B0DA2920E6F97)
sig sig D1E3EBDD 2014-02-11 __________ __________ Sebastian Weber <s.wbr@gmx.de>
sig sig3 3DBDC284 2014-05-05 __________ 2024-05-02 [selfsig]](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB88B2FD43DBDC284)

On 2014-11-05 09:56, suse rasputin wrote:
>
> Dear robin!
>
> Thank you for your quick reply.
>
> Hmmm, but you didn’t use the code block in your reply, either?

Not all of it. I forgot on part of it. Nntp is different than web side.

> (sorry, but the error messages of gpg are quite the same, no matter what
> the language is and google is your friend, even translate).

You are at advantage there, you can read both languages. I can’t. And
google does an horrible job with computer messages.

> Anyways, why is your copy of 13.2 signed with an other key as my copy?
> opensuse@opensuse.org 3DBDC284 vs. build@opensuse.org 9C800ACA?

Dunno. Maybe because I tested the CD?

> “In that computer the keys are unsigned. Let’s try on another on which
> they are”
>
> So basically my computer is “untrusted”,

No, YOU, rasputin, trust the keys and sign them. Not the computer.
Please read up how PGP works.

> If I have to download the key manually and apply trust to the key
> without knowing where it REALLY belongs to the whole verification is
> useless, as anybody could exchange the key on the fly while I download
> it.

Absolutely.

But not anybody, but somebody in the position and with the resources to
do so.

But in this particular case, the fingerprint is published somewhere.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)