My iso may have been hacked, too!

[Andrew F Comly 康大成 <andrew.comly@protonmail.com>]

Debian users,

I would like to try out debian 8.5 lxde OS.  Unfortunately after I burn (dd) to disk, the newly burned disk has a different hash number than the original *.iso file.  My specific procedure is below:

===================================================================================

-------------------------------------

Outline (Overall procedure)

A) Download SHA512SUMS and SHA512SUMS.gpg, or MD5SUMS and MD5SUMS.gpg

B) Get the key used for the signature

C) Verify the signature

D) Check the ISO with sha512sum or md5sum

-------------------------------------

Command outline (terse)

A) Download SHA512SUMS and SHA512SUMS.gpg from http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

B) Get the key

    1) Display what key was used to issue the signature

            $        gpg --verify SHA512SUMS.sign SHA512SUMS

        

    2) Obtain the public key from the Ubuntu key server

            To add the wanted key automatically to your keyring from the Ubuntu keyserver and calculate its trust:

            $      gpg --keyserver keyring.debian.org --recv-keys 0x6294BE9B

                

    3) Verify the key fingerprints:

            $        gpg --list-keys --with-fingerprint 0x6294BE9B

        

C) Verify the signature

            $        gpg --verify SHA512SUMS.sign SHA512SUMS

    

D) Check the ISO

            $      sha512sum -c <(grep debian-live-8.5.0-amd64-lxde-desktop.iso SHA512SUMS)

            $        sha512sum debian-live-8.5.0-amd64-lxde-desktop.iso

                    

E) Burn iso to media

F) Check media drive still has same

            $   sudo fdisk -l                    (lookup location of burnt iso media)

            $        sudo sha512sum /dev/sdb    

            

-------------------------------------

Command outline (Complete with results)

$  ls

debian-8.5.0-i386-lxde-CD-1.checksum  SHA512SUMS

debian-8.5.0-i386-lxde-CD-1.iso       SHA512SUMS.sign

Debian8_i386_SHA256SUMS.sign

$  gpg --verify SHA512SUMS.sign SHA512SUM

S

gpg: Signature made 2016年06月05日 (週日) 23時59分09秒 CST using RSA key ID 6294BE9B

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

$  gpg --keyserver keyring.debian.org --r

ecv-keys 0x6294BE9B

gpg: requesting key 6294BE9B from hkp server keyring.debian.org

gpg: key 6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed

gpg: Total number processed: 1

gpg:              unchanged: 1

$  gpg --list-keys --with-fingerprint 0x6

294BE9B

pub   4096R/6294BE9B 2011-01-05

      Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

uid                  Debian CD signing key <debian-cd@lists.debian.org>

sub   4096R/11CD9819 2011-01-05

$  gpg --verify SHA512SUMS.sign SHA512SUMS

gpg: Signature made 2016年06月05日 (週日) 23時59分09秒 CST using RSA key ID 6294BE9B

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

$  sha512sum debian-8.5.0-i386-lxde-CD-1.

iso && wait && sha512sum /dev/sdb

3365649694bf623d63f37853582d3fe0f7aa774821e2533d2dc79f5d763df1751e20da98da013ccc9bd3257159362434462bd7363caff3a590e75701b81e751c

$  sudo sha512sum /dev/sdb

912ac63416f9e4cc90b10eecf08765aa3665cea3cb971865f9887b5193bdf8961cdaf7978dfbdb5a966ae03e16c6704dfd80c50eea30f9bea32b5dbd67f99747  /dev/sdb

===================================================================================

Notice how the two sha512sum numbers (local vs burnt usb) don't match!

Sincerely,

Andrew F Comly

===================================================================================

===================================================================================

-------- Original Message --------

Subject: Re: you iso's may have been hacked

Local Time: August 10, 2016 1:37 AM

UTC Time: August 10, 2016 1:37 AM

From: limpia@openmailbox.org

To: debian-user@lists.debian.org

> On 2016-08-09 20:03, phil hall wrote:

>> i have just downloaded debian gnome 8.5.0 when complete i clicked

>> check MD5 sum it listed a number that's not in your MD5sum document. I

>> have never checked an MD5sum, so don't know if this is a Mint bug or

>> you've been hacked

On 2016-08-09 20:24, limpia wrote:

> Thanks, but it would be a lot more help to know more details,

> Especially which mirror you used, what was the url to where you

> downloaded it from, ?

> Was it a amd64 image or i386 ? Was it a "Live CD image", "netinstall"

> or ?

> Thank you

Additional note, I notice that here:

https://www.debian.org/CD/faq/#verify

It says :=== "The problem with the verification of written optical

media is that some media types will possibly return more bytes than

those found in the ISO image. This trailing garbage is impossible to

avoid with CD written in TAO mode, incrementally recorded DVD-R[W],

formatted DVD-RW, DVD+RW, BD-RE, and also with USB keys. Therefore, we

need to read exactly the same number of sectors of data from the media

as are found in the ISO image itself; reading any more bytes from the

media will alter the checksum result.""

================================

There are more details here: https://www.debian.org/CD/verify

as well, Are you sure you are checking correctly ?