The officially official Devuan Forum!

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

[Solved] image verification: bad signature

Hello

I read "bad signature" for every image I download when I run gpg --verify SHA256SUMS nameoftheiso

Here is what I do, in that order:
Verify the integrity of SHA256SUMS
sha256sum --ignore-missing -c SHA256SUMS
Verify the integrity of the ISO by comparing the output with that of the SHA256SUMS.txt
sha256sum nameoftheiso
Download and import the public key from https://files.devuan.org/
gpg --import devuan-devs.gpg
Verify the signature
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team                                                                                                     
Verify that SHA256SUMS is signed by one of the devs
gpg --verify SHA256SUMS.asc SHA256SUMS
Verify that the ISO is signed by one of the devs
gpg --verify SHA256SUMS.asc nameoftheiso

There are quite a few things I would like to understand.
Firstly, I would like to understand why the last command returns "bad signature". That would be great!
https://ibb.co/hvADrp
Secondly, I would like to know the "correct procedure" to import the public key. I quote the Release Notes:

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver

So far, I have always downloaded the devuan-devs.gpg from the Devuan Download Zone.
Thirdly, I do not quite understand the primary key fingerprint on the screenshot below, more particularly the following numbers before the developer's GPG key: 67F5 0132 1627 1E85 C251   E480
https://ibb.co/fyyGBp

The 'devuan-devs.gpg' keyring is provided only for convenience. The most correct procedure to verify that the signatures are authentic is by downloading the relevant public keys from a trusted keyserver, double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team and then use that key for verification.

Am I doing this right? I wonder

Many thanks

Last edited by HextorBRX (2018-10-21 18:17:00)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

I'll tell you what I know. The digits before the key ID in the fingerprint are, well... the fingerprint. Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not. I don't know how that gets calculated.

This will get my public key from a public keyserver.

gpg --keyserver=pgp.mit.edu --recv-keys 094c5620

Here's what I do to verify. I can't guarantee that it's right, but the output looks good.

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in `SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 05:49:36 PM EDT using RSA key ID 094C5620
gpg: Good signature from "fsmithred (aka fsr) <fsmithred@gmail.com>"

We don't sign the isos. We sign the SHA256SUMS file. If the checksum on the iso matched what's in the file we signed, it's good.

If I try to verify KatolaZ's signature on a computer that doesn't already have his public key, I get this (using the SHASUMS from the installer isos):

$ gpg --verify SHA256SUMS.asc 
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Wed 06 Jun 2018 06:55:55 PM UTC
gpg:                using DSA key 8E59D6AA445EFDB4A1533D5A5F20B3AE0B5F062F
gpg: Can't check signature: No public key

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

Re: [Solved] image verification: bad signature

I understand everything except the public key part.

You do that:
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys 094C5620
Katolaz: gpg --keyserver=pgp.mit.edu --recv-keys 0B5F062F

Since it's possible for two keys to have the same ID, the fingerprint gives you a more reliable indicator of whether it's the right key or not.

Then, why don't you do this instead?
fsmithred: gpg --keyserver=pgp.mit.edu --recv-keys "67F5 0132 1627 1E85 C251  E480 A738 23D3 094C 5620"

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

'Cause it's too much to type, and I got lucky and saw my own name when I used just eight characters. If someone else's name showed up, I'd use 16. I'm not sure if using the whole fingerprint number works with --recv-keys. Did you try that?

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

Re: [Solved] image verification: bad signature

Did you try that?

https://ibb.co/nHZbwp
https://linuxmint.com/verify.php gpg --keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09"

I got the whole fingerprint when I verified the signature: gpg --verify SHA256SUMS.asc or gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc after importing devuan-devs.gpg

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).

Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

Last edited by HextorBRX (2018-09-28 13:16:09)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

Is there a way to find the whole fingerprint beforehand? It only appears in the installer-iso README.txt (I have checked them all).

Edit: fetching the public key via the trusted keyserver requires the following package: dirmngr

If you have the key ID, you can get the fingerprint with

gpg --fingerprint <key-id>

Oh, if you don't have the key ID, you can use the email address. Try it with mine, and you'll get a list.

I noticed that about dirmngr in ascii. That must be new - I don't have that package installed in jessie and gpg has always worked right.

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

Re: [Solved] image verification: bad signature

I copy and paste the correct procedure since the devuan-devs.gpg method is used in the Wiki and the Release Notes: https://friendsofdevuan.org/doku.php/de … rom_debian
Feel free to add some commands if I have missed any. Thanks again.

sha256sum --ignore-missing -c SHA256SUMS
sha256sum <isoname> 
open SHA256SUMS.txt with a text editor and compare the checksums

install the "dirmngr" package
gpg --fingerprint <key-id> https://devuan.org/os/team/
gpg --keyserver=pgp.mit.edu --recv-keys "wholefingerprint"
gpg --verify SHA256SUMS.asc
double-check that the fingerprint of the key matches that of the developer reported on https://devuan.org/os/team
gpg --verify SHA256SUMS.asc SHA256SUMS 
gpg --verify SHA256SUMS.asc <isoname> only if the ISO is signed, which is not the case 

alternative (not recommended)
gpg --import devuan-devs.gpg
gpg --no-default-keyring --keyring ./devuan-devs.gpg --verify SHA256SUMS.asc

Last edited by HextorBRX (2018-09-28 15:36:15)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

These two do the same thing. With the first one, it assumes you mean to use the file with the same name minus the .asc.

gpg --verify SHA256SUMS.asc
gpg --verify SHA256SUMS.asc SHA256SUMS 

This didn't work:

$ sha256sum --ignore-missing -c SHA256SUMS
sha256sum: unrecognized option '--ignore-missing'
Try 'sha256sum --help' for more information.

To check a signed iso, I'd do this.

gpg --verify isofile.iso.asc

You could also use a different keyserver. I use MIT because it's just up the road from here, and I can remember pgp.mit.edu.

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

Re: [Solved] image verification: bad signature

Ok, it makes sense.

I am surprised --ignore-missing returns "unrecognized option". Do you have jessie installed?

sha256sum --ignore-missing -c SHA256SUMS

https://ibb.co/iW5h49
They use the same option in the Wiki: https://friendsofdevuan.org/doku.php/de … rom_debian

sha256sum -c SHA256SUMS

https://ibb.co/ca7qrp

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

Yeah, I get the "unknown option" message in jessie, but not in ascii. The option is not mentioned in the jessie man page but is in the ascii man page.

HextorBRX

Member

Registered: 2017-08-20

Posts: 106  

Re: [Solved] image verification: bad signature

Hello

I cannot retrieve the fingerprint anymore, while it worked two days ago. I have tried your GPG key and Katolaz's. 

gpg --fingerprint GPGkey/email address
gpg: error reading key: no public key

Last edited by HextorBRX (2018-10-01 10:12:17)

fsmithred

Administrator

Registered: 2016-11-25

Posts: 2,502  

Re: [Solved] image verification: bad signature

It's not working for me today, either. I can --search-keys with my email address and get a list of my public keys. I can't get the fingerprints and I can't --recv-keys. Also can't --refresh-keys on my main machine - I get "keyserver error" with that.

Searching my email address on the web interface at pgp.mit.edu also fails with:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /pks/lookup.

Reason: Error reading from remote server

The problem is with them, not with us.