On Wed, 22 Jun 2016 17:42:36 +0000 (UTC) Grzegorz Bereta <gbereta2@yahoo.com> wrote: > Dear Sir or Madam, > > I was trying to verify my Debian download following these > instructions: > > https://www.debian.org/CD/verify.en.html > > and found the second part of the instructions (below) unclear: > > "To ensure that the checksums files themselves are correct, use GnuPG > to verify them against the accompanying signature files (e.g. > MD5SSUMS.sign). The keys used for these signatures are all in the > Debian GPG keyring and the best way to check them is to use that > keyring to validate via the web of trust" > > My understanding of the above is that I need keys to decipher the > X.sign file so that I can compare it with the checksum file. Don't I > need a KeyID to get the proper key? Where/how do I get it? 0: You can simply use the checksums. 1: You can also verify the GnuPG signature without needing a GnuPG key of your own with gpg --verify X.sign 2: You can verify the key used to make the GnuPG signature if you already have a GnuPG key and which is part of the web of trust. GnuPG handles the .sign file, that stage does not need you to have a GnuPG key. The signature itself does not contain anything you can compare with the checksum file yourself. GnuPG verifies that the checksum file is the same as it was when the signature was created and provides information about the key used to make that signature. The verification of that key is then down to your link into the GnuPG web of trust. Without a key of your own (or with a key which doesn't have a link into the web of trust) you still get verification that the checksum file is valid and that the signature is valid. The fingerprint of the key used to create the signature is printed when gpg verifies the X.sign file. This fingerprint can be verified by looking up the key on keyservers to ensure that the fingerprint on the debian website is correct. With MD5SUMS and MD5SUMS.sign in the same directory: $ gpg --verify --verbose MD5SUMS.sign gpg: armor header: Version: GnuPG v1 gpg: assuming signed data in `MD5SUMS' gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B From the website, the fingerprint of the key with the short ID 6294BE9B is DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B (collapse the fingerprint, taking out the spaces) $ gpg --keyring keyring.debian.org --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) If your key is not in the web of trust (or if you haven't updated your local gpg trust settings since importing this key), you'll get: $ gpg --verify MD5SUMS.sign gpg: assuming signed data in `MD5SUMS' gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B gpg: please do a --check-trustdb gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B My key is part of the web of trust (I've been fortunate enough to get signatures from Steve and a few dozen other people in the Debian keyring), so I can proceed to: $ gpg: --check-trustdb $ gpg --verify MD5SUMS.sign gpg: assuming signed data in `MD5SUMS' gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" Yes, the gpg interface is obscure and quite unhelpful. It is important to receive keys using the full fingerprint, not the short key id which is (sadly) all that gpg --verify outputs until the key has already been imported. Other steps you can do are: $ gpg --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B (this just updates the key from other keyservers, in case it's been revoked without being updated on keyring.debian.org) You can google the fingerprint(s) from https://www.debian.org/CD/verify.en.html which brings up a range of sites giving you something like the above set of commands with a bit more background. e.g. https://linuxconfig.org/how-to-verify-an-authenticity-of-downloaded-debian-iso-images -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgpnwQBfWjf6z.pgp
Description: OpenPGP digital signature