Signing certificates for Argon & Krypton ISOs?

English Install/Boot/Login
#1

Hi.

A few months ago i downloaded the then-current Krypton ISO, & today i’ve downloaded the Argon ISO, both from http://download.opensuse.org/repositories/KDE:/Medias/images/iso/ . For each ISO i also downloaded the corresponding sha256 file. I’m having trouble validating the files, & hope someone can help pls.

Via Kleopatra:

Krypton:


Signature created on Monday, 10 July 2017 21:02:25 AEST
With certificate:
[4E8E 6DE2 961F 3083 EAC5 0086 27C0 7017 6F88 BB2F](key:4E8E6DE2961F3083EAC5008627C070176F88BB2F)
The signature is invalid: Signing certificate is expired

Argon:

Signature created on Friday, 13 October 2017 09:30:54 AEDT
With certificate:
[4E8E 6DE2 961F 3083 EAC5 0086 27C0 7017 6F88 BB2F](key:4E8E6DE2961F3083EAC5008627C070176F88BB2F)

The signature is invalid: Signing certificate is expired

For both ISOs:
https://paste.opensuse.org/images/75478946.png

So far none of my online searching has uncovered how to obtain the current signing certificate, but i expect i’m looking in the wrong places. Any clues pls? Do i need to write an email to "KDE OBS Project:, or [hopefully] is there a known-good webpage somewhere holding the missing information?

#2

Ha. Somewhat ironic footnote re Argon ISO… won’t run in VM, has kernel panic [conversely Krypton is fine]:

https://paste.opensuse.org/images/32360733.png

#3

Your Kleopatra outputs can’t be right…
It’s nearly impossible for 2 different files (your Argon and Kryption ISO files) to have exactly the same checksum.

Recommend you use the following command to generate the checksum values for you ISO files

sha256sum --help

As for your Argon inability to boot…
I’ve seen that error from time to time in Tumbleweed, verify the ISO integrity correctly and if necessary download a new image.

TSU

#4

Hi
You need to ping the Repo maintainers to update the project signing key… (bug report… we know that won’t happen…).

Email the maintainers https://build.opensuse.org/project/users/KDE:Medias

Click on the GPG key / SSL Certificate
https://build.opensuse.org/project/show/KDE:Medias#

#5

I entirely agree with you, which is why previously i never said anything about the checksums. As i showed with my pics, the query concerns the signing certificate applicable to both ISOs, which seems to have expired.

openSUSE_Argon.x86_64-5.10.90-Build2.75.iso” sha256 checksum as calculated by Dolphin:

febf2536e79c0b3f2c509c842badd12d98b0fb3566eb0e34688e0f1ee8945557

openSUSE_Argon.x86_64-5.10.90-Build2.75.iso.sha256” sha256 checksum as viewed with Kate:

febf2536e79c0b3f2c509c842badd12d98b0fb3566eb0e34688e0f1ee8945557

openSUSE_Krypton_stable.x86_64-5.10.90-Build15.1.iso” sha256 checksum as calculated by Dolphin:

439d424088297e0fbc41f805859131d971c32869fca4a77dd8172abb111846a5

openSUSE_Krypton_stable.x86_64-5.10.90-Build15.1.iso.sha256” sha256 checksum as viewed with Kate:

439d424088297e0fbc41f805859131d971c32869fca4a77dd8172abb111846a5

As you can see, each ISO is verified by its associated sha256 text file, & the two ISOs do have different checksums to each other never said otherwise]. The checksums were never the issue. As the pics in my OP showed, the problem is that currently the integrity of the sha256 text files i downloaded [which are my only means to check the ISOs] is unknown, because they are signed with an expired certificate. IMO, if the checksum files’ integrity is uncertain, then ipso facto the ISOs to which they relate, are also uncertain.

Signature created on Sunday, 8 October 2017 04:01:49 AEDT
With certificate:
4E8E 6DE2 961F 3083 EAC5 0086 27C0 7017 6F88 BB2F
The signature is invalid: Signing certificate is expired

I have “verify the ISO integrity correctly”, the issue is the expired signing certificate… but the checksum match does imply that the ISO should at least boot [if that build was not bad]. When i wrote my OP, the Argon ISO i’d downloaded, which has the kernel panic boot failure, was “openSUSE_Argon.x86_64-5.10.90-Build2.87.iso”. Today i have now downloaded a slightly older version, “openSUSE_Argon.x86_64-5.10.90-Build2.75.iso”. Sadly it also fails to boot, but this time with a different fault:
https://paste.opensuse.org/images/67511898.png

This is not confidence-inspiring; faulty Argon ISOs, expired signing certificates…

#6

Haha. Sorry to disappoint you with your admirably consistent teasing of my desire for privacy, but possibly you won’t be able to do so after today… i have changed my email address & SUSE/Novell UserID to match my screen-name here, & so am now more than happy to raise bug reports :stuck_out_tongue: Could you pls guide me though as to which of these categories i should use? It’s not clear to me that any of these four choices is particularly relevant to my topic:
https://paste.opensuse.org/images/11818731.png

Excellent, will do, thanks.

Um:
https://paste.opensuse.org/images/30488085.png
Oh, maybe it’s ok; a temporary error due to the current oS power outage? I’ll try it again on Monday.

#7

Hi
Yes, no power… take the weekend off, nothing will get done until next week anyway… send an email to the maintainers. Also you might find one of them on IRC Freenode #opensuse-factory or #opensuse-buildservice

#8

A signing certificate only provides a degree of authenticity, confidence that the provided checksum is valid and not a forgery.
If the file is freshly downloaded from a trustworthy site, then the extra confidence provided by the signing authority is probably not needed.

This is just one of those things that you’d wonder why the expiration was set for such a short TTL, but is not really that important.

So, just focus on the provided checksums for comparison.

IMO,
TSU

#9

I don’t know anything about IRC, what it is, what to do with it.

Re emailing… When i’m here, https://build.opensuse.org/project/users/KDE:Medias , or on either of the associated pages https://build.opensuse.org/user/show/favogt and https://build.opensuse.org/user/show/luca_b , i cannot see any email link or email info for those people. Maybe such links become visible once i log into these pages? However, despite me being logged into the Forum successfully [which i can confirm by logging out, in, out, in at will], on none of these three pages am i logged in. Furthermore, all attempts to login there fail:

The username/password combination you entered is invalid. Please try again, or recover it from here.

Do these pages need a different login / account to my credentials which work fine in all Forum-associated pages? Or is this problem instead likely only a temporary glitch legacy of the recent power outage server shutdown?

Finally, re me creating a bug report [which i indicated earlier i am now happy to do], i still don’t know which of those 4 categories / “product” i need to use.

#10

Hi
Create an OBS account, it’s separate… click the Sign Up button.
https://build.opensuse.org/

For bugs follow the guided process;
openSUSE:Submitting bug reports - openSUSE

#11

Thanks Malcolm

Oh, it’s a separate account needed… no wonder it didn’t work for me. OK, i’ll create a new account for that.

Bug Report now not needed… with the oS server power back on, today i was able to use your link https://build.opensuse.org/project/show/KDE:Medias# & then its link https://build.opensuse.org/projects/KDE:Medias/public_key/key_dialog then get

KDE:Medias keys

Size    Algorithm    ID    **Expires**    Origin
1024    dsa    6f88bb2f    **2019-01-16**    KDE
Fingerprint : 
4e8e 6de2 961f 3083 eac5 0086 27c0 7017 6f88 bb2f

, ie, this one IS current. After then downloading this key & importing into my KGpg, then signing it myself, i’m happy to advise that now, for “openSUSE_Argon.x86_64-5.10.90-Build2.91.iso” with “openSUSE_Argon.x86_64-5.10.90-Build2.91.iso.sha256” [and now i have repeated this with those other ISOs already mentioned from the site] Kleopatra shows me:

Signature created on Friday, 13 October 2017 23:09:09 AEDT
With certificate:
[4E8E 6DE2 961F 3083 EAC5 0086 27C0 7017 6F88 BB2F](key:4E8E6DE2961F3083EAC5008627C070176F88BB2F)

The signature is valid and the certificate's validity is fully trusted.

, & btw yes, the actual sha256 checksum was good.

Yay. Thanks again.

#12

Thanks. I do understand your points. I’d like to offer this perspective though. When you say

freshly downloaded from a trustworthy site
, i agree with you. In this case the site is http://download.opensuse.org/repositories/KDE:/Medias/images/iso/ , which is of course an openSUSE site. However, it is only http, not https. I thus don’t see upon what basis i should simply “accept” that this site is always safe, not hacked, not subject to potential malicious third-party actions. If i’m wrong in that caution, then it would seem that there is no actual reason for any site to use https, but of course that’s blatantly untrue. Hence, because this site is only http, it seems to me to be critically important that applicable Public Keys & Signing Certificates are current. That’s why i initiated this thread. However, as you might notice above, i’ve now acquired the updated key, & so my original concern is now resolved.

BTW, i have now managed finally to make both “openSUSE_Argon.x86_64-5.10.90-Build2.75.iso” & “openSUSE_Argon.x86_64-5.10.90-Build2.91.iso” boot & run in VirtualBox. To do so i had to use an additional VB setting that i’ve never had to use before for any Linux distro ISO VM, including my many TW VMs, my two Leap VMs, nor my Krypton VM…

https://paste.opensuse.org/images/93676798.png

However, even with this additional VB setting, “openSUSE_Argon.x86_64-5.10.90-Build2.87.iso” continues to fail with that kernel panic. I have now deleted that obviously broken file.

#13

Malcolm, you said it’s separate, but when i tried to create this new account i get this error:

**Login
**
By filling out and submitting this form, you are creating one account that may be used to log in on NetIQ, Novell, and SUSE. All entitlements and other resources/privileges requiring a login are determined individually by each company, but are controlled under the umbrella of this singular login account. **Please do not create multiple accounts to access each company** as it may restrict your ability to access locked resources.
Please do not use special characters, accents, apostrophes, etc... when creating your profile


**Sorry, the email address you specified is already in use, probably because you already have a Login. Please use the login link above if you have forgotten your username and/or password.**

So the part i highlighted in bolded blue kind of implies that i should NOT have multiple logins. The red error [coloured by the site, not me] arose after i filled in all the fields in my application for a new account now. What am i supposed to do, create yet another email account just to use here, given that it refuses to accept my existing gooeygirl one used for my existing oS Forum account? If so, that’s pretty impractical. Has Novell never heard of Single Sign-on?

When it says

Please use the login link above if you have forgotten your username and/or password
, that’s exasperating… i have NOT forgotten my existing [forum] account at all, but it refuses to let me use it here [rejects the password]. This process could be much improved.

https://paste.opensuse.org/images/20748212.png

#14

Hi
OK, lets backup a little, there is no Novell (in fact it doesn’t exist anymore) involved here… our primary sponsor is SUSE :wink:

A little ironic in the grumbles over the years about filling in details to stay anonymous and single sign on etc :wink:

So depending on the method used by you to change things things a probably out of whack somewhere.

Have a look here https://forums.opensuse.org/faq.php?faq=novfor#faq_changepass and the following paragraph on what to do…

#15

The single solitary reason i mentioned Novell, is that several times during my few months with oS, various oS websites i’ve used to try to register, login/out, amend details, have lead me to some Novell-branded sites, or oS sites prominently containing Novell references. Had that not been happening i’d not have mentioned it. As it has happened multiple times, it was fair for me to mention it. The most recent two instances were last Fri, & again on Saturday. Unfortunately i didn’t anticipate this becoming a point of dispute, so i did not capture any screen shots, but the next time it occurs i shall. Additionally, some of the emails i have received in response to my attempts to register or change, have been from Novell addresses. If any of that is wrong, it’s not my fault… i simply state factually what has been happening. Even the link that you gave me in your reply post, takes me to an oS page that contains several references to Novell. How was i to know that if i keep reading “Novell” on pages associated with oS, that i’m supposed to magically ignore such references? Some pics to reinforce my claim:

https://paste.opensuse.org/images/4293829.png

https://paste.opensuse.org/images/32355275.png

https://paste.opensuse.org/images/84713642.png

Oh, yet another chide on my desire for privacy, eh? Why? Furthermore, what “years”? - my Join Date was 27-Jun-2017.

Thank you. I shall see if somehow guidance in that page will turn around the current faulty registration / login scenario for me.

#16

Oh, yet another chide on my desire for privacy, eh? Why? Furthermore, what “years”? - my Join Date was 27-Jun-2017.

Thank you. I shall see if somehow guidance in that page will turn around the current faulty registration / login scenario for me.

				https://forums.opensuse.org/images/misc/quote_icon.png Originally Posted by **malcolmlewis** 					https://forums.opensuse.org/images/buttons/viewpost-right.png](https://forums.opensuse.org/showthread.php?p=2841854#post2841854) 				

			A little ironic in the grumbles over the years about filling in details to stay anonymous and single sign on etc 


		 		 	 Oh, yet another chide on my desire for privacy, eh? Why? Furthermore, what "years"? - my Join Date was 27-Jun-2017.

Hi
No, not referring to you, so I apologize since you thought so, other folks over the years as things where things like SSO were introduced…

I’m sure it will get sorted…

#17

I just checked, although https isn’t enforced, it’s supported.

So, you can download the file in a way that ensures the file should be valid.

TSU

#18

Hi TSU – oh, that’s interesting. Thanks for letting me know. Do you suppose there’s a chance sometime that the page will get full enforced https support, by which i mean including that naive users like me can just rely on our browser’s padlock being green not red [ie, behave like much of the rest of the oS pages]?

#19

Submit a feature request to https://bugzilla.opensuse.org

Or,
Don’t rely on the maintainers of <any> web server.

Install the “HTTPS Everywhere” firefox plugin from the EFF, and your browser will always check for SSL support on every website you visit.

TSU

#20

Thanks Tsu2

Re HTTPS Everywhere, yes, i have used that in my browsers for some years now. However i never really understand how effective it is, eg, see here for the site in question… what does “partial” actually mean, in a practical sense, wrt security of this page & its downloads?

https://paste.opensuse.org/images/5392792.png

**
PS** - This associated info is interesting, but unfortunately too incomprehensible for me to answer my own question… https://www.eff.org/https-everywhere/atlas/domains/opensuse.org.html