The officially official Devuan Forum!

You are not logged in.

#1 2018-09-27 15:29:58

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

image verification: bad signature

Hello

I read "bad signature" for every image I download when I run gpg --verify SHA256SUMS nameoftheiso

Here is what I do, in that order:
Verify the integrity of SHA256SUMS
sha256sum --ignore-missing -c SHA256SUMS
Verify the integrity of the ISO by comparing the output with that of the SHA256SUMS.txt
sha256sum nameoftheiso
Download and import the public key from https://files.devuan.org/
gpg --import devuan-devs.gpg
Verify the signature
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team                                                                                                     
Verify that SHA256SUMS is signed by one of the devs
gpg --verify SHA256SUMS.asc SHA256SUMS
Verify that the ISO is signed by one of the devs
gpg --verify SHA256SUMS.asc nameoftheiso

There are quite a few things I would like to understand.
Firstly, I would like to understand why the last command returns "bad signature". That would be great!
https://ibb.co/hvADrp
Secondly, I would like to know the "correct procedure" to import the public key. I quote the Release Notes:

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver

So far, I have always downloaded the devuan-devs.gpg from the Devuan Download Zone.
Thirdly, I do not quite understand the primary key fingerprint on the screenshot below, more particularly the following numbers before the developer's GPG key: 67F5 0132 1627 1E85 C251   E480
https://ibb.co/fyyGBp

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver, double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team and then use that key for verification.

Am I doing this right? I wonder smile

Many thanks

Last edited by HextorBRX (2018-10-01 10:03:23)

Offline

#2 2018-09-27 19:01:36

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

I'll tell you what I know. The digits before the key ID in the fingerprint are, well... the fingerprint. Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not. I don't know how that gets calculated.

This will get my public key from a public keyserver.

gpg --keyserver=pgp.mit.edu --recv-keys 094c5620

Here's what I do to verify. I can't guarantee that it's right, but the output looks good.

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 05:49:36 PM EDT using RSA key ID 094C5620
gpg: Good signature from "fsmithred (aka fsr) <fsmithred@gmail.com>"

We don't sign the isos. We sign the SHA256SUMS file. If the checksum on the iso matched what's in the file we signed, it's good.

If I try to verify KatolaZ's signature on a computer that doesn't already have his public key, I get this (using the SHASUMS from the installer isos):

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 06:55:55 PM UTC
gpg:                using DSA key 8E59D6AA445EFDB4A1533D5A5F20B3AE0B5F062F
gpg: Can't check signature: No public key

Offline

#3 2018-09-28 10:35:21

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

Re: image verification: bad signature

I understand everything except the public key part.

You do that:
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys 094C5620
Katolaz: gpg --keyserver=pgp.mit.edu --recv-keys 0B5F062F

Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not.

Then, why don't you do this instead?
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys "67F5 0132 1627 1E85 C251  E480 A738 23D3 094C 5620"

Offline

#4 2018-09-28 10:49:03

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

'Cause it's too much to type, and I got lucky and saw my own name when I used just eight characters. If someone else's name showed up, I'd use 16. I'm not sure if using the whole fingerprint number works with --recv-keys. Did you try that?

Offline

#5 2018-09-28 13:06:26

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

Re: image verification: bad signature

Did you try that?

https://ibb.co/nHZbwp
https://linuxmint.com/verify.php gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"

I got the whole fingerprint when I verified the signature: gpg --verify SHA256SUMS.asc or gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc after importing devuan-devs.gpg

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).

Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

Last edited by HextorBRX (2018-09-28 13:16:09)

Offline

#6 2018-09-28 13:23:04

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

HextorBRX wrote:

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).

Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

If you have the key ID, you can get the fingerprint with

gpg --fingerprint <key-id>

Oh, if you don't have the key ID, you can use the email address. Try it with mine, and you'll get a list.

I noticed that about dirmngr in ascii. That must be new - I don't have that package installed in jessie and gpg has always worked right.

Offline

#7 2018-09-28 15:34:21

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

Re: image verification: bad signature

I copy and paste the correct procedure since the devuan-devs.gpg method is used in the Wiki and the Release Notes: https://friendsofdevuan.org/doku.php/de … rom_debian
Feel free to add some commands if I have missed any. Thanks again.

sha256sum --ignore-missing -c SHA256SUMS
sha256sum <isoname> 
open SHA256SUMS.txt with a text editor and compare the checksums

install the "dirmngr" package
gpg --fingerprint <key-id> https://devuan.org/os/team/
gpg --keyserver=pgp.mit.edu --recv-keys "wholefingerprint"
gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team
gpg --verify SHA256SUMS.asc SHA256SUMS 
gpg --verify SHA256SUMS.asc <isoname> only if the ISO is signed, which is not the case 

alternative (not recommended)
gpg --import devuan-devs.gpg
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc

Last edited by HextorBRX (2018-09-28 15:36:15)

Offline

#8 2018-09-28 19:07:33

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

These two do the same thing. With the first one, it assumes you mean to use the file with the same name minus the .asc.

gpg --verify SHA256SUMS.asc
gpg --verify SHA256SUMS.asc SHA256SUMS 

This didn't work:

$ sha256sum --ignore-missing -c SHA256SUMS
sha256sum: unrecognized option '--ignore-missing'
Try 'sha256sum --help' for more information.

To check a signed iso, I'd do this.

gpg --verify isofile.iso.asc

You could also use a different keyserver. I use MIT because it's just up the road from here, and I can remember pgp.mit.edu.

Offline

#9 2018-09-29 03:38:46

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

Re: image verification: bad signature

Ok, it makes sense.

I am surprised --ignore-missing returns "unrecognized option". Do you have jessie installed?

sha256sum --ignore-missing -c SHA256SUMS

https://ibb.co/iW5h49
They use the same option in the Wiki: https://friendsofdevuan.org/doku.php/de … rom_debian

sha256sum -c SHA256SUMS

https://ibb.co/ca7qrp

Offline

#10 2018-09-29 12:04:20

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

Yeah, I get the "unknown option" message in jessie, but not in ascii. The option is not mentioned in the jessie man page but is in the ascii man page.

Offline

#11 2018-10-01 10:10:47

HextorBRX
Member
Registered: 2017-08-20
Posts: 78  

Re: image verification: bad signature

Hello

I cannot retrieve the fingerprint anymore, while it worked two days ago. I have tried your GPG key and Katolaz's. 

gpg --fingerprint GPGkey/email address
gpg: error reading key: no public key

Last edited by HextorBRX (2018-10-01 10:12:17)

Offline

#12 2018-10-01 19:43:30

fsmithred
Administrator
Registered: 2016-11-25
Posts: 873  

Re: image verification: bad signature

It's not working for me today, either. I can --search-keys with my email address and get a list of my public keys. I can't get the fingerprints and I can't --recv-keys. Also can't --refresh-keys on my main machine - I get "keyserver error" with that.

Searching my email address on the web interface at pgp.mit.edu also fails with:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /pks/lookup.

Reason: Error reading from remote server

The problem is with them, not with us.

Offline

Board footer