Re: Unable to verify 64-bit live ISO signature
On Wed, 24 Jun 2020 davidson wrote: One clarification... [dd] Here are three mutually exclusive cases, of what a system may tell you, depending on how your reality conforms to conditions (1) and (2) above. ...regarding the third case: SIGNING KEY UNKNOWN, bailing out: When (2) is NO gpg: Signature made Wed 24 Jun 2020 06:58:06 AM EDT gpg:using RSA key 2E3F09D22FFDC4ABF32DF441EB18A1C0111F5F49 gpg: Can't check signature: No public key All is not well. SUMFILE was not signed by a debian role key (or, at ^^^ least, not by one in the keyring you specified). I should restate that last bit more clearly: "SUMFILE.sign does not contain a signature from a debian role key" For all you know, SUMFILE.sign could contain the Hamburglar's signature! Or Marilyn Monroe's! And it remains unknown in this case whether (1) is YES or NO. In other words, we don't know whether SUMFILE.sign contains *anyone*'s signature for SUMFILE. If I have said anything incorrect or misleading above, I hope somebody will correct me. -- Firstly, you must always implicitly obey orders, without attempting to form any opinion of your own respecting their propriety. Secondly, you must consider every man your enemy who speaks ill of your king; and thirdly, you must hate a Frenchman, as you do the devil. --H. Nelson
Re: Unable to verify 64-bit live ISO signature
On Wed, 24 Jun 2020 sebarosa...@protonmail.com wrote: Hi! I have been trying to veify the debian live iso signature, but I can't find the command to import the debian gpg keys for the sha256sum.sign file. What is the command? OP appears satisfied with answers already received, all of which appear to involve obtaining keys from a keyserver. I would supplement those answers as follows: On a debian system, the debian project's optical media signing keys appear to live in the file /usr/share/keyrings/debian-role-keys.gpg which is supplied by package "debian-keyring". So on debian, if you have A. debian-keyring installed (and gpg as well), B. a checksum file SUMFILE, and C. a file SUMFILE.sign, allegedly containing a signature for the checksums in SUMFILE then you can find out 1. whether SUMFILE.sign is indeed a signature for SUMFILE (meaning you may remove the qualifier "allegedly" from (C) above), and 2. whether that signature was made by somebody in control of a key that the debian project trusts to sign its releases, by examining the output of this command: $ gpg --verify --keyring /usr/share/keyrings/debian-role-keys.gpg SUMFILE.sign SUMFILE (Of course, substitute "SHA256SUMS" or "SHA512SUMS" or whatever, as appropriate, for "SUMFILE".) Here are three mutually exclusive cases, of what a system may tell you, depending on how your reality conforms to conditions (1) and (2) above. SUMFILE signed, and by debian role key: When both (1) and (2) are YES gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT gpg:using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key " [marginal] gpg: WARNING: This key is not certified with sufficiently trusted signatures! gpg: It is not certain that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B You were told all is fine, so far as the system can tell. SUMFILE not signed: When (1) is NO but (2) is still YES gpg: Signature made Sat 09 May 2020 08:17:30 PM EDT gpg:using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: BAD signature from "Debian CD signing key " [marginal] That is your system telling you SUMFILE.sign is *not* actually a signature for SUMFILE. It is possible that SUMFILE has been tampered with. SIGNING KEY UNKNOWN, bailing out: When (2) is NO gpg: Signature made Wed 24 Jun 2020 06:58:06 AM EDT gpg:using RSA key 2E3F09D22FFDC4ABF32DF441EB18A1C0111F5F49 gpg: Can't check signature: No public key All is not well. SUMFILE was not signed by a debian role key (or, at least, not by one in the keyring you specified). For all you know, SUMFILE.sign could contain the Hamburglar's signature! Or Marilyn Monroe's! And it remains unknown in this case whether (1) is YES or NO. In other words, we don't know whether SUMFILE.sign contains *anyone*'s signature for SUMFILE. If I have said anything incorrect or misleading above, I hope somebody will correct me. -- Firstly, you must always implicitly obey orders, without attempting to form any opinion of your own respecting their propriety. Secondly, you must consider every man your enemy who speaks ill of your king; and thirdly, you must hate a Frenchman, as you do the devil. --H. Nelson
Re: Unable to verify 64-bit live ISO signature / How to download signatures
Hi, sorry for carrying the subject line from one thread to the other. (At least they are closely related ...) Have a nice day :) Thomas
Re: Unable to verify 64-bit live ISO signature
Thank you for the excellent help! I'm happy to join this awesome community!
Re: Unable to verify 64-bit live ISO signature
Hi, sebarosa...@protonmail.com wrote: > I am > trying to download the sha256sums and the sha256sums.sign, but clicking on > them only seems to open the contents of the file With my browser i can click on the link with the rightmost mouse button to get a menu which offers me to "Save Link As". You could also use copy+paste to bring the displaid file content into a file on your local disk. Finally, the command line should help wget https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/SHA256SUMS wget https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/SHA256SUMS.sign In advance: If gpg --verify says gpg: Good signature from "Debian CD signing key " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B then it is ok. But you should then check the "key fingerprint" whether it is one of those listed at https://www.debian.org/CD/verify Have a nice day :) Thomas
Re: Unable to verify 64-bit live ISO signature
On 6/24/2020 9:44 AM, Thomas Schmitt wrote: Hi, sebarosa...@protonmail.com wrote: I can't find the command to import the debian gpg keys for the sha256sum.sign file. I was told that verification works without knowing the key id by: gpg --keyserver keyring.debian.org --verify SHA256SUMS.sign SHA256SUMS I would rather use the below command to automatically fetch the key: $ gpg --keyserver-options auto-key-retrieve verify SHA512SUMS.sign SHA512SUMS -- John Doe
Re: Unable to verify 64-bit live ISO signature
Hi, sebarosa...@protonmail.com wrote: > I can't > find the command to import the debian gpg keys for the sha256sum.sign file. I was told that verification works without knowing the key id by: gpg --keyserver keyring.debian.org --verify SHA256SUMS.sign SHA256SUMS but never tested it without having the key already fetched. I normally use a fetched key with one of the key ids from https://www.debian.org/CD/verify E.g. gpg --keyserver keyring.debian.org --recv-keys 6294BE9B and then gpg --verify SHA256SUMS.sign SHA256SUMS Have a nice day :) Thomas
Re: Unable to verify 64-bit live ISO signature
Hi. On Wed, Jun 24, 2020 at 07:23:14AM +, sebarosa...@protonmail.com wrote: > Hi! I have been trying to veify the debian live iso signature, but I > can't find the command to import the debian gpg keys for the > sha256sum.sign file. What is the command? gpg --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B See also: https://www.debian.org/CD/verify Reco
Unable to verify 64-bit live ISO signature
Hi! I have been trying to veify the debian live iso signature, but I can't find the command to import the debian gpg keys for the sha256sum.sign file. What is the command?
