This forum has been archived. All content is frozen. Please use KDE Discuss instead.

verify download with GPG fails

Tags: None
(comma "," separated)
ses
Registered Member
Posts
4
Karma
0

verify download with GPG fails

Sat Apr 27, 2019 11:10 pm
Hi,
probably Im doing something wrong here:

Code: Select all
$ gpg --verify neon-user-20190418-1118.iso.sig neon-user-20190418-1118.sha256sum
gpg: Unterschrift vom Do 18 Apr 2019 13:30:30 CEST mittels RSA-Schlüssel ID 075E1D76
gpg: FALSCHE Unterschrift von »KDE neon ISO Signing Key <neon@kde.org>«


In preparation this went:
Code: Select all
$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "0xdeacea00075e1d76"
gpg: Schlüssel 075E1D76 von hkp-Server keyserver.ubuntu.com anfordern
gpg: Schlüssel 075E1D76: Öffentlicher Schlüssel "KDE neon ISO Signing Key <neon@kde.org>" importiert
gpg: Keine uneingeschränkt vertrauenswürdigen Schlüssel gefunden
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:               importiert: 1  (RSA: 1)

Code: Select all
$ gpg --list-keys --with-fingerprint 0xDEACEA00075E1D76
pub   4096R/075E1D76 2016-06-06
      Schl.-Fingerabdruck = 348C 8651 2066 33FD 983A  8FC4 DEAC EA00 075E 1D76
uid                  KDE neon ISO Signing Key <neon@kde.org>
sub   4096R/4DF5D0FC 2016-06-06

Any ideas?
NoNameNoBlame
Karma
0
This file:

https://files.kde.org/neon/images/user/ ... .sha256sum

only contains this:

Code: Select all
e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e  neon-user-20190418-1118.iso


And this file:

https://files.kde.org/neon/images/user/ ... 18.iso.sig

contains this:
Code: Select all
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJcuF/WAAoJEN6s6gAHXh12pyMP/2VrzlegVKAVIicHM+d/A/pi
L6eZi2BQI7UALeruhq0wO609w81fQ4RcJat0o5uLyCU9AiEqqWfNBfHfYljg6YMs
CwNyk3XQy/wkaBKobpIZM7B34rOtKRqtC9Zp44BK/mWxjD8URyp/ZhQpzyQydVfk
RtaS8XLwmaakQNB29VfpUMRTNbycI0nXUhJxqOAl+Ogd0QST3wy4xfYV2T4hNOF7
ySRfv56Mfh1G6zEquaIbvUCt4LSIbMNIjnwQFBVEAbEbtKu/CKXF4wcwzUuiwX5p
/Djvoc/Cy2l8oodY9+MKsgmP+uz8v3nP+PUwPV2Lh0I2CRV0bGbffKHiI0bC+HXj
6j81P3A5x98wjPSCZLlYcuemrxnD9AzVXo9E7eNXq+1CzF9YrQlUbKcelQGw0tC2
1lJ8iN2IwJkoYJ5XISPH80bJcpf4fdUlpHSsx8i1l4yR55vnqp4nrP1b7mGQ96gP
8DuxB4eafoDEWuS36wn5DeqdUoron19yAryj6cEoheNA6cSbgacnbFgi5qZ/+DGh
IXbGgLy7Tuxk07DGxVdX2lKgdHehduHnSJXuTUH6BUh3WTXS2LmaKhte/K9EEZwB
AB4+XEkYa8F+LXR2z3NTPvZSVgNS9AfSqYi+BsP98XnmdTE7iZSUJX75qW10Jg8f
GW37kJrwBs6wdaheFKoA
=n9mm
-----END PGP SIGNATURE-----


What Your command-line is missing is what the checksum and signature
are checksumming and signing. Which is: The '*.iso'-file itself.

https://files.kde.org/neon/images/user/ ... 8-1118.iso

Edit:

--verify
With more than one argument, the first argument should specify a file
with a detached signature and the remaining files should contain the
signed data.

==> gpg2 --verify *.sig *.iso <==

2nd Edit:

Use 'sha256sum'-command with checksum-file.

Documentation:
a) 'man'-pages
b) 'info'-files

### Example ###

You have FreeBSD, and want to download "KDE neon"-installer

1/4)

Download "KDE neon" Key:

https://keyserver.ubuntu.com/pks/lookup ... 00075E1D76

You get file: "lookup"
Import it into gpg:

gpg2 --import lookup

2/4)
Download these additional 3 items:

$ ls -1

lookup
neon-user-20190418-1118.iso
neon-user-20190418-1118.iso.sig
neon-user-20190418-1118.sha256sum

3/4)
Check download-integrity by visual inspection:

$ cat neon-user-20190418-1118.sha256sum | grep -o '^[^ ]+'; sha256 -q -c "e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e" neon-user-20190418-1118.iso

e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e
e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e

Both lines are identical. Flawlessly downloaded!

4/4)
Check signature (download-origin):

$ gpg2 --verify neon-user-20190418-1118.iso.sig |& grep neon

gpg: assuming signed data in 'neon-user-20190418-1118.iso'
gpg: Good signature from "KDE neon ISO Signing Key <neon@kde.org>" [unknown]

Final Result: Everything is good. Download is verified.
ses
Registered Member
Posts
4
Karma
0

Re: verify download with GPG fails

Sun Apr 28, 2019 1:53 pm
Hi,
thanks to you I understood that the .iso.sig signs the .iso and not the .sha256sum as I assumed. :) Could have easily seen that by looking inside neon-user-20190418-1118.iso.sig, but probably was misguided by Ubuntus way handling SHA256SUMS.

Cheers!

Edit: So, the .sha256sum-file isn’t really needed to verify the .iso for correct download and origin, as gpg does both in one step, right?
NoNameNoBlame
Karma
0

Re: verify download with GPG fails

Sun Apr 28, 2019 2:31 pm
Before checking the GnuPG-signature, You must
be certain about the correctness of the downloading before it.

Only then You can tell - afterwards - that the signature is wrong.
By checking the checksum first, You know that You have to download the
'*.iso'-file again if something went wrong the first time.

By the way: Multiple checksums are possible.

Code: Select all
$ gpg2 --print-mds neon-user-20190418-1118.iso

neon-user-20190418-1118.iso:    MD5 = 73 CA 53 47 58 6D E2 CC  DC 14 C5 FB 73 99
                                      BF 5D
neon-user-20190418-1118.iso:   SHA1 = 0AA3 D541 FC87 2CAC 00EC  96AA 8B63 47AE
                                      1818 1ADB
neon-user-20190418-1118.iso: RMD160 = C28E 7D54 D132 3ECB 1BEB  00DD E78C 5573
                                      48CA B1B2
neon-user-20190418-1118.iso: SHA224 = DE098F1A 5C5F9E60 0CD5907D BD42E5EF
                                      9F5F281F AEC83027 E25225DA
neon-user-20190418-1118.iso: SHA256 = E984A963 ED5A8363 554A9A29 29317259
                                      D70231EF 2FBBF14A 985BDA7F E1636E1E
neon-user-20190418-1118.iso: SHA384 = 5B16CAEE FE3FD217 FA194AAB 06BDACC2
                                      6A19F706 56FB60A9 CA06F612 6299B7B5
                                      181AA569 5B733183 2D869048 D323B2ED
neon-user-20190418-1118.iso: SHA512 = B50912FF 65BB3393 0A7A885B 5231914B
                                      A705A159 FF6DD816 4007E93A 67A29FC7
                                      000D669B C2399970 50E61C86 DCDB8EF0
                                      1420D4C8 D526699C 85E64FC0 CF6F2DD7



It's necessary to know, which one was used by the creators.
ses
Registered Member
Posts
4
Karma
0

Re: verify download with GPG fails

Sun Apr 28, 2019 3:47 pm
Before checking the GnuPG-signature, You must be certain about the correctness of the downloading before it.
Only then You can tell - afterwards - that the signature is wrong.


Why is that? If the signature of the whole ISO is okay, doesn't the download have to be correct? GPG checks the .sig-file with the public key 075E1D76 and checks the .iso with the signature. Getting a „WRONG Signature“-error, I could not determine if the download had a bit-flip or if someone hijacked the server and placed a corrupted ISO. Either way I would be warned.
If there is no other reason to do it doublefold, I prefer the Ubuntu way: A SHA256SUM-file containing the hashes which is signed via a SHA256SUM.gpg. Saves time:
Code: Select all
$ time sha256sum -c neon-user-20190418-1118.sha256sum 2>&1
neon-user-20190418-1118.iso: OK

real   0m9.287s
user   0m8.736s
sys   0m0.377s
$ time gpg --verify neon-user-20190418-1118.iso.sig neon-user-20190418-1118.iso
gpg: Unterschrift vom Do 18 Apr 2019 13:30:30 CEST mittels RSA-Schlüssel ID 075E1D76
gpg: Korrekte Unterschrift von »KDE neon ISO Signing Key <neon@kde.org>«
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 348C 8651 2066 33FD 983A  8FC4 DEAC EA00 075E 1D76

real   0m8.964s
user   0m8.199s
sys   0m0.724s

Less time consuming:
Code: Select all
$ time sha256sum --ignore-missing -c SHA256SUMS
kubuntu-19.04-desktop-amd64.iso: OK

real   0m11.262s
user   0m10.735s
sys   0m0.487s
$ time gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Unterschrift vom Mi 17 Apr 2019 19:41:08 CEST mittels DSA-Schlüssel ID FBB75451
gpg: Korrekte Unterschrift von »Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>«
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
gpg: Unterschrift vom Mi 17 Apr 2019 19:41:08 CEST mittels RSA-Schlüssel ID EFE21092
gpg: Korrekte Unterschrift von »Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>«
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

real   0m0.013s
user   0m0.008s
sys   0m0.004s

Of course checksumming takes longer with the kubuntu-ISO as it is bigger.
NoNameNoBlame
Karma
0

Re: verify download with GPG fails

Sun Apr 28, 2019 3:57 pm
If the signature-verification is successful, You are right.

But if the signature-verfication is not successful,
then You must have a way to tell WHY.

Could be the signature. But who knows?
Maybe it's only a faulty download or a faulty disk.

The whole point here is:

What to do next, if the signature-verification is
_NOT_ successful.
ses
Registered Member
Posts
4
Karma
0

Re: verify download with GPG fails

Sun Apr 28, 2019 10:25 pm
Cheers for making this clear! 8)
duns
Registered Member
Posts
78
Karma
0
OS

Re: verify download with GPG fails

Mon May 01, 2023 2:58 pm
I have always problem verifying checksum with dolphin (wrong, not matching checksum): why?


Bookmarks



Who is online

Registered users: Bing [Bot], Google [Bot], kesang, Yahoo [Bot]