Dev1 Galaxy Forum / [Solved] image verification: bad signature

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Mon, 01 Oct 2018 19:43:30 +0000

It's not working for me today, either. I can --search-keys with my email address and get a list of my public keys. I can't get the fingerprints and I can't --recv-keys. Also can't --refresh-keys on my main machine - I get "keyserver error" with that.

Searching my email address on the web interface at pgp.mit.edu also fails with:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /pks/lookup.
Reason: Error reading from remote server

The problem is with them, not with us.

Re: [Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Mon, 01 Oct 2018 10:10:47 +0000

Hello

I cannot retrieve the fingerprint anymore, while it worked two days ago. I have tried your GPG key and Katolaz's.

gpg --fingerprint GPGkey/email address
gpg: error reading key: no public key

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Sat, 29 Sep 2018 12:04:20 +0000

Yeah, I get the "unknown option" message in jessie, but not in ascii. The option is not mentioned in the jessie man page but is in the ascii man page.

Re: [Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Sat, 29 Sep 2018 03:38:46 +0000

Ok, it makes sense.

I am surprised --ignore-missing returns "unrecognized option". Do you have jessie installed?

sha256sum --ignore-missing -c SHA256SUMS

https://ibb.co/iW5h49
They use the same option in the Wiki: https://friendsofdevuan.org/doku.php/de … rom_debian

sha256sum -c SHA256SUMS

https://ibb.co/ca7qrp

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Fri, 28 Sep 2018 19:07:33 +0000

These two do the same thing. With the first one, it assumes you mean to use the file with the same name minus the .asc.

gpg --verify SHA256SUMS.asc
gpg --verify SHA256SUMS.asc SHA256SUMS

This didn't work:

$ sha256sum --ignore-missing -c SHA256SUMS
sha256sum: unrecognized option '--ignore-missing'
Try 'sha256sum --help' for more information.

To check a signed iso, I'd do this.

gpg --verify isofile.iso.asc

You could also use a different keyserver. I use MIT because it's just up the road from here, and I can remember pgp.mit.edu.

Re: [Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Fri, 28 Sep 2018 15:34:21 +0000

I copy and paste the correct procedure since the devuan-devs.gpg method is used in the Wiki and the Release Notes: https://friendsofdevuan.org/doku.php/de … rom_debian
Feel free to add some commands if I have missed any. Thanks again.

sha256sum --ignore-missing -c SHA256SUMS
sha256sum  
open SHA256SUMS.txt with a text editor and compare the checksums

install the "dirmngr" package
gpg --fingerprint  https://devuan.org/os/team/
gpg --keyserver=pgp.mit.edu --recv-keys "wholefingerprint"
gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team
gpg --verify SHA256SUMS.asc SHA256SUMS 
gpg --verify SHA256SUMS.asc  only if the ISO is signed, which is not the case 

alternative (not recommended)
gpg --import devuan-devs.gpg
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Fri, 28 Sep 2018 13:23:04 +0000

HextorBRX wrote:

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).
Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

If you have the key ID, you can get the fingerprint with

gpg --fingerprint

Oh, if you don't have the key ID, you can use the email address. Try it with mine, and you'll get a list.

I noticed that about dirmngr in ascii. That must be new - I don't have that package installed in jessie and gpg has always worked right.

Re: [Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Fri, 28 Sep 2018 13:06:26 +0000

Did you try that?

https://ibb.co/nHZbwp
https://linuxmint.com/verify.php gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"

I got the whole fingerprint when I verified the signature: gpg --verify SHA256SUMS.asc or gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc after importing devuan-devs.gpg

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).

Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Fri, 28 Sep 2018 10:49:03 +0000

'Cause it's too much to type, and I got lucky and saw my own name when I used just eight characters. If someone else's name showed up, I'd use 16. I'm not sure if using the whole fingerprint number works with --recv-keys. Did you try that?

Re: [Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Fri, 28 Sep 2018 10:35:21 +0000

I understand everything except the public key part.

You do that:
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys 094C5620
Katolaz: gpg --keyserver=pgp.mit.edu --recv-keys 0B5F062F

Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not.

Then, why don't you do this instead?
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys "67F5 0132 1627 1E85 C251 E480 A738 23D3 094C 5620"

Re: [Solved] image verification: bad signature

dummy@example.com (fsmithred) — Thu, 27 Sep 2018 19:01:36 +0000

I'll tell you what I know. The digits before the key ID in the fingerprint are, well... the fingerprint. Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not. I don't know how that gets calculated.

This will get my public key from a public keyserver.

gpg --keyserver=pgp.mit.edu --recv-keys 094c5620

Here's what I do to verify. I can't guarantee that it's right, but the output looks good.

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 05:49:36 PM EDT using RSA key ID 094C5620
gpg: Good signature from "fsmithred (aka fsr) "

We don't sign the isos. We sign the SHA256SUMS file. If the checksum on the iso matched what's in the file we signed, it's good.

If I try to verify KatolaZ's signature on a computer that doesn't already have his public key, I get this (using the SHASUMS from the installer isos):

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 06:55:55 PM UTC
gpg:                using DSA key 8E59D6AA445EFDB4A1533D5A5F20B3AE0B5F062F
gpg: Can't check signature: No public key

[Solved] image verification: bad signature

dummy@example.com (HextorBRX) — Thu, 27 Sep 2018 15:29:58 +0000

Hello

I read "bad signature" for every image I download when I run gpg --verify SHA256SUMS nameoftheiso

Here is what I do, in that order:
Verify the integrity of SHA256SUMS
sha256sum --ignore-missing -c SHA256SUMS
Verify the integrity of the ISO by comparing the output with that of the SHA256SUMS.txt
sha256sum nameoftheiso
Download and import the public key from https://files.devuan.org/
gpg --import devuan-devs.gpg
Verify the signature
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team
Verify that SHA256SUMS is signed by one of the devs
gpg --verify SHA256SUMS.asc SHA256SUMS
Verify that the ISO is signed by one of the devs
gpg --verify SHA256SUMS.asc nameoftheiso

There are quite a few things I would like to understand.
Firstly, I would like to understand why the last command returns "bad signature". That would be great!
https://ibb.co/hvADrp
Secondly, I would like to know the "correct procedure" to import the public key. I quote the Release Notes:

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver

So far, I have always downloaded the devuan-devs.gpg from the Devuan Download Zone.
Thirdly, I do not quite understand the primary key fingerprint on the screenshot below, more particularly the following numbers before the developer's GPG key: 67F5 0132 1627 1E85 C251 E480
https://ibb.co/fyyGBp

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver, double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team and then use that key for verification.

Am I doing this right? I wonder

Many thanks