[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CD verification key question



On Wed, 22 Jun 2016 17:42:36 +0000 (UTC)
Grzegorz Bereta <gbereta2@yahoo.com> wrote:

> Dear Sir or Madam,
> 
> I was trying to verify my Debian download following these
> instructions:
> 
> https://www.debian.org/CD/verify.en.html
> 
> and found the second part of the instructions (below) unclear:
> 
> "To ensure that the checksums files themselves are correct, use GnuPG
> to verify them against the accompanying signature files (e.g.
> MD5SSUMS.sign). The keys used for these signatures are all in the
> Debian GPG keyring and the best way to check them is to use that
> keyring to validate via the web of trust"
> 
> My understanding of the above is that I need keys to decipher the
> X.sign file so that I can compare it with the checksum file. Don't I
> need a KeyID to get the proper key? Where/how do I get it? 

0: You can simply use the checksums.
1: You can also verify the GnuPG signature without needing a GnuPG key
of your own with gpg --verify X.sign
2: You can verify the key used to make the GnuPG signature if you
already have a GnuPG key and which is part of the web of trust.

GnuPG handles the .sign file, that stage does not need you to have a
GnuPG key. The signature itself does not contain anything you can
compare with the checksum file yourself. GnuPG verifies that the
checksum file is the same as it was when the signature was created and
provides information about the key used to make that signature. The
verification of that key is then down to your link into the GnuPG web
of trust.

Without a key of your own (or with a key which doesn't have a link into
the web of trust) you still get verification that the checksum file is
valid and that the signature is valid. The fingerprint of the key used
to create the signature is printed when gpg verifies the X.sign file.
This fingerprint can be verified by looking up the key on keyservers to
ensure that the fingerprint on the debian website is correct.

With MD5SUMS and MD5SUMS.sign in the same directory:

$ gpg --verify --verbose MD5SUMS.sign 
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B

From the website, the fingerprint of the key with the short ID 6294BE9B
is DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

(collapse the fingerprint, taking out the spaces)

$ gpg --keyring keyring.debian.org --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If your key is not in the web of trust (or if you haven't updated your
local gpg trust settings since importing this key), you'll get:

$ gpg --verify MD5SUMS.sign 
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B
gpg: please do a --check-trustdb
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

My key is part of the web of trust (I've been fortunate enough to get
signatures from Steve and a few dozen other people in the Debian
keyring), so I can proceed to:

$ gpg: --check-trustdb
$ gpg --verify MD5SUMS.sign 
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"

Yes, the gpg interface is obscure and quite unhelpful. It is important
to receive keys using the full fingerprint, not the short key id which
is (sadly) all that gpg --verify outputs until the key has already been
imported.

Other steps you can do are:

$ gpg --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
(this just updates the key from other keyservers, in case it's been
revoked without being updated on keyring.debian.org)

You can google the fingerprint(s) from
https://www.debian.org/CD/verify.en.html which brings up a range of
sites giving you something like the above set of commands with a bit more background.
e.g.
https://linuxconfig.org/how-to-verify-an-authenticity-of-downloaded-debian-iso-images



-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

Attachment: pgpnwQBfWjf6z.pgp
Description: OpenPGP digital signature


Reply to: