No public key on live usb stick download.

I’m following these command line directions to make a live usb stick. https://en.opensuse.org/Live_USB_stick

I did this.


gpg --recv-keys 9C800ACA
gpg: requesting key 9C800ACA from hkp server keys.gnupg.net
gpg: /home/x/.gnupg/trustdb.gpg: trustdb created
gpg: key 9C800ACA: public key "SuSE Package Signing Key <build@suse.de>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Then I get No public key.

gpg -a openSUSE-13.2-KDE-Live-x86_64.iso.asc
Detached signature.
Please enter name of data file: openSUSE-13.2-KDE-Live-i686.iso
gpg: Signature made Tue 04 Nov 2014 07:36:09 AM EST using RSA key ID 3DBDC284
gpg: Can't check signature: No public key

I don’t understand gpg very well. And I searched the forum but couldn’t find the answer. What am I doing wrong?

I have no experience in creating a Live USB this way. If it is for creating a USB install disk, I download the iso ( OS.iso in the command, replace by downloaded iso name )


dd if=/path/to/OS.iso of=/dev/sdX bs=1M

where the X in /dev/sdX should be replaced by the whatever the USB devices’ entry in /dev is ( could be “b”, “c”, depending on the number of disks in the machine ).

Nothing, it is just that wiki lists some outdated key. You need to find key 3DBDC284 (openSUSE Project Signing Key <opensuse@opensuse.org>). You should always check official information source first :slight_smile: e.g. openSUSE Leap - Get openSUSE and scroll to “Verify your download before use”.

I tried the new key.


gpg --recv-keys 3DBDC284
gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

But it gives me BAD signature. Does this mean the iso has been tampered with?

gpg -a openSUSE-13.2-KDE-Live-x86_64.iso.asc
Detached signature.
Please enter name of data file: openSUSE-13.2-KDE-Live-i686.iso
gpg: Signature made Tue 04 Nov 2014 07:36:09 AM EST using RSA key ID 3DBDC284
gpg: BAD signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"

It could simply mean corrupted download. Did you also verify hashes (MD5 and/or SHA1)?

I brought it up in K3b and the md5 checksums are identical.

25715326d7096c50f7ea126ac20eabfd

openSUSE-13.2-KDE-Live-i686.iso

No, it means you test wrong signature.

I’m following the directions in https://en.opensuse.org/Live_USB_stick.

How does a user make it test the right signature?

Most simply use check sums as indicated on the download page And you must check it as the iso download once put on a device the check sums problem will not match due to zero pads to the image. There is a media check on the first menu but really only works on DVD’s USB media makes length changes due to sector pads which makes check sums incorrect. I have never heard of anyone using gpg to test the file

Hi
As user arvidjaar pointed out, your using the wrong asc file or wrong image x86_64 and i686 iso image won’t work!!! :wink: Are you checking a 32bit (i686) or 64bit (x86_64) iso, if so you need the respective asc file.

No, you are not. This page says to download 64 bit ISO image and you attempt to verify 32 bit ISO.

How does a user make it test the right signature?

By using signature that matches downloaded image.