Re: Checking SHA256SUMS against SHA256SUMS.sign .
On Wed, Feb 29, 2012 at 02:29:33AM +0700, Sthu Deus wrote:
> Good time of the day.
>
>
> I try to check live CDs SHA256SUMS against SHA256SUMS.sign:
>
> under normal user:
> gpg --verify SHA256SUMS.sign SHA256SUMS
> gpg: directory `/home/__/gue/.gnupg' created
> gpg: new configuration file `/home/__/gue/.gnupg/gpg.conf' created
> gpg: WARNING: options in `/home/__/gue/.gnupg/gpg.conf' are not yet
> active during this run gpg: keyring `/home/__/gue/.gnupg/pubring.gpg'
> created gpg: Signature made Mon 17 Oct 2011 07:55:55 PM GMT-7 using RSA
> key ID 6CA7B5A6 gpg: Can't check signature: public key not found
>
>
> then by root user:
>
> # gpg --recv-key --keyserver subkeys.pgp.net 6CA7B5A6 && gpg
> --verify ./SHA256SUMS.sign gpg: requesting key 6CA7B5A6 from hkp server
> subkeys.pgp.net gpg: key 6CA7B5A6: "Debian Live Signing Key
> <debian-live@lists.debian.org>" not changed gpg: Total number
> processed: 1 gpg: unchanged: 1
> gpg: no signed data
> gpg: can't hash datafile: file open error
>
>
> Now, under normal user:
>
> $ gpg --verify SHA256SUMS.sign SHA256SUMS
> gpg: Signature made Mon 17 Oct 2011 07:55:55 PM GMT-7 using RSA key ID
> 6CA7B5A6 gpg: Good signature from "Debian Live Signing Key
> <debian-live@lists.debian.org>" gpg: WARNING: This key is not certified
> with a trusted signature! gpg: There is no indication that the
> signature belongs to the owner. Primary key fingerprint: 696F 95F0 88E4
> D359 947F 7AEB 6F95 B499 6CA7 B5A6
>
>
> So, how I can fix these 2 errors:
>
> "gpg: no signed data
> gpg: can't hash datafile: file open error"
Apparently, you've told GPG where to find the signature, but not which
file to verify.
Let's start from the top. Firstly, you shouldn't need root permissions
for any of this. By changing to root, you'll be adding the key to root's
keyring not your own.
OK. Start by issuing " gpg --verify SHA256SUMS.sign SHA256SUMS". You get
some warnings and then "Can't check signature: public key not found".
This is fine.
Next, "gpg --recv-key --keyserver subkeys.pgp.net 6CA7B5A6". This
fetches a key matching the signing key's fingerprint from a server.
Again, do this as yourself so that it's in YOUR keyring.
Finally, "gpg --verify SHA256SUMS.sign SHA256SUMS" will verify the
signature. As you saw, you get "Good Signature from ...". This means
that SHA256SUMS is identical in content to when it was signed; the file
has not been tampered with. However, as you don't trust the key you just
downloaded, you don't know who signed the file.
>
> "gpg: WARNING: This key is not certified
> with a trusted signature! gpg: There is no indication that the
> signature belongs to the owner."
To trust a key, the following algorithm is used (by default):
1. You have signed the key
2. The key has been signed by one fully trusted key
3. The key has been signed by three marginally trusted keys.
This is known as the "Web of Trust". You don't have to directly trust
every key you use, but you can rely on the fidelity of other users.
The easiest way to to this is, clearly, then, to sign the key you just
downloaded. To do this:
1. Arrange a meeting with the owner of they key. Bring at least one
photo ID and a printed fingerprint of your own Key.
2. Meet the key's owner face-to-face and, after verifying their
identity, exchange fingerprints.
3. Sign their key.
gpg --sign-key 6CA7B5A6
4. Upload the key back to the keyserver (so that other people how trust
you can now trust that key)
gpg --send-keys --keyserver subkeys.pgp.net 6CA7B5A6
Now, re-verifying the signature should confirm that you trust the
signature.
(Alternatively, if meeting up with the owner of the key is difficult,
you may find members of your local LUG have already signed the key and
you can use the marginal trust noted above).
--
Darac Marjal
Reply to: