[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unable to verify 64-bit live ISO signature

On Wed, 24 Jun 2020 SeBarosanul@protonmail.com wrote:

Hi! I have been trying to veify the debian live iso signature, but I
can't find the command to import the debian gpg keys for the
sha256sum.sign file. What is the command?

OP appears satisfied with answers already received, all of which
appear to involve obtaining keys from a keyserver.

I would supplement those answers as follows:

On a debian system, the debian project's optical media signing keys
appear to live in the file


which is supplied by package "debian-keyring".

So on debian, if you have

 A. debian-keyring installed (and gpg as well),

 B. a checksum file SUMFILE, and

 C. a file SUMFILE.sign, allegedly containing a signature for the
    checksums in SUMFILE

then you can find out

  1. whether SUMFILE.sign is indeed a signature for SUMFILE (meaning
     you may remove the qualifier "allegedly" from (C) above), and

  2. whether that signature was made by somebody in control of a key
     that the debian project trusts to sign its releases,

by examining the output of this command:

 $ gpg --verify --keyring /usr/share/keyrings/debian-role-keys.gpg SUMFILE.sign SUMFILE

(Of course, substitute "SHA256SUMS" or "SHA512SUMS" or whatever, as
appropriate, for "SUMFILE".)

Here are three mutually exclusive cases, of what a system may tell
you, depending on how your reality conforms to conditions (1) and (2)

SUMFILE signed, and by debian role key: When both (1) and (2) are YES

 gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT
 gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
 gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [marginal]
 gpg: WARNING: This key is not certified with sufficiently trusted signatures!
 gpg:          It is not certain that the signature belongs to the owner.
 Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

You were told all is fine, so far as the system can tell.

SUMFILE not signed: When (1) is NO but (2) is still YES

 gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT
 gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
 gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [marginal]

That is your system telling you SUMFILE.sign is *not* actually a
signature for SUMFILE. It is possible that SUMFILE has been tampered

SIGNING KEY UNKNOWN, bailing out: When (2) is NO

 gpg: Signature made Wed 24 Jun 2020 06:58:06 AM EDT
 gpg:                using RSA key 2E3F09D22FFDC4ABF32DF441EB18A1C0111F5F49
 gpg: Can't check signature: No public key

All is not well. SUMFILE was not signed by a debian role key (or, at
least, not by one in the keyring you specified).

For all you know, SUMFILE.sign could contain the Hamburglar's
signature! Or Marilyn Monroe's!

And it remains unknown in this case whether (1) is YES or NO. In other
words, we don't know whether SUMFILE.sign contains *anyone*'s
signature for SUMFILE.

If I have said anything incorrect or misleading above, I hope somebody
will correct me.

Firstly, you must always implicitly obey orders, without attempting to
form any opinion of your own respecting their propriety. Secondly, you
must consider every man your enemy who speaks ill of your king; and
thirdly, you must hate a Frenchman, as you do the devil. --H. Nelson

Reply to: