On Wed, 24 Jun 2020 sebarosa...@protonmail.com wrote:
Hi! I have been trying to veify the debian live iso signature, but I can't find the command to import the debian gpg keys for the sha256sum.sign file. What is the command?
OP appears satisfied with answers already received, all of which appear to involve obtaining keys from a keyserver. I would supplement those answers as follows: On a debian system, the debian project's optical media signing keys appear to live in the file /usr/share/keyrings/debian-role-keys.gpg which is supplied by package "debian-keyring". So on debian, if you have A. debian-keyring installed (and gpg as well), B. a checksum file SUMFILE, and C. a file SUMFILE.sign, allegedly containing a signature for the checksums in SUMFILE then you can find out 1. whether SUMFILE.sign is indeed a signature for SUMFILE (meaning you may remove the qualifier "allegedly" from (C) above), and 2. whether that signature was made by somebody in control of a key that the debian project trusts to sign its releases, by examining the output of this command: $ gpg --verify --keyring /usr/share/keyrings/debian-role-keys.gpg SUMFILE.sign SUMFILE (Of course, substitute "SHA256SUMS" or "SHA512SUMS" or whatever, as appropriate, for "SUMFILE".) Here are three mutually exclusive cases, of what a system may tell you, depending on how your reality conforms to conditions (1) and (2) above. SUMFILE signed, and by debian role key: When both (1) and (2) are YES gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" [marginal] gpg: WARNING: This key is not certified with sufficiently trusted signatures! gpg: It is not certain that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B You were told all is fine, so far as the system can tell. SUMFILE not signed: When (1) is NO but (2) is still YES gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: BAD signature from "Debian CD signing key <debian...@lists.debian.org>" [marginal] That is your system telling you SUMFILE.sign is *not* actually a signature for SUMFILE. It is possible that SUMFILE has been tampered with. SIGNING KEY UNKNOWN, bailing out: When (2) is NO gpg: Signature made Wed 24 Jun 2020 06:58:06 AM EDT gpg: using RSA key 2E3F09D22FFDC4ABF32DF441EB18A1C0111F5F49 gpg: Can't check signature: No public key All is not well. SUMFILE was not signed by a debian role key (or, at least, not by one in the keyring you specified). For all you know, SUMFILE.sign could contain the Hamburglar's signature! Or Marilyn Monroe's! And it remains unknown in this case whether (1) is YES or NO. In other words, we don't know whether SUMFILE.sign contains *anyone*'s signature for SUMFILE. If I have said anything incorrect or misleading above, I hope somebody will correct me. -- Firstly, you must always implicitly obey orders, without attempting to form any opinion of your own respecting their propriety. Secondly, you must consider every man your enemy who speaks ill of your king; and thirdly, you must hate a Frenchman, as you do the devil. --H. Nelson