verify download with GPG fails
Page 1 of 1 (8 posts)
Tags:
None
Registered Member 
|
Hi,
probably Im doing something wrong here:
In preparation this went:
Any ideas? |
|
This file:
https://files.kde.org/neon/images/user/ ... .sha256sum only contains this:
And this file: https://files.kde.org/neon/images/user/ ... 18.iso.sig contains this:
What Your command-line is missing is what the checksum and signature are checksumming and signing. Which is: The '*.iso'-file itself. https://files.kde.org/neon/images/user/ ... 8-1118.iso Edit: --verify With more than one argument, the first argument should specify a file with a detached signature and the remaining files should contain the signed data. ==> gpg2 --verify *.sig *.iso <== 2nd Edit: Use 'sha256sum'-command with checksum-file. Documentation: a) 'man'-pages b) 'info'-files ### Example ### You have FreeBSD, and want to download "KDE neon"-installer 1/4) Download "KDE neon" Key: https://keyserver.ubuntu.com/pks/lookup ... 00075E1D76 You get file: "lookup" Import it into gpg: gpg2 --import lookup 2/4) Download these additional 3 items: $ ls -1 lookup neon-user-20190418-1118.iso neon-user-20190418-1118.iso.sig neon-user-20190418-1118.sha256sum 3/4) Check download-integrity by visual inspection: $ cat neon-user-20190418-1118.sha256sum | grep -o '^[^ ]+'; sha256 -q -c "e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e" neon-user-20190418-1118.iso e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e e984a963ed5a8363554a9a2929317259d70231ef2fbbf14a985bda7fe1636e1e Both lines are identical. Flawlessly downloaded! 4/4) Check signature (download-origin): $ gpg2 --verify neon-user-20190418-1118.iso.sig |& grep neon gpg: assuming signed data in 'neon-user-20190418-1118.iso' gpg: Good signature from "KDE neon ISO Signing Key <neon@kde.org>" [unknown] Final Result: Everything is good. Download is verified. |
|
Registered Member
|
Hi,
thanks to you I understood that the .iso.sig signs the .iso and not the .sha256sum as I assumed.  Could have easily seen that by looking inside neon-user-20190418-1118.iso.sig, but probably was misguided by Ubuntus way handling SHA256SUMS.Cheers! Edit: So, the .sha256sum-file isn’t really needed to verify the .iso for correct download and origin, as gpg does both in one step, right? |
|
Before checking the GnuPG-signature, You must
be certain about the correctness of the downloading before it. Only then You can tell - afterwards - that the signature is wrong. By checking the checksum first, You know that You have to download the '*.iso'-file again if something went wrong the first time. By the way: Multiple checksums are possible.
It's necessary to know, which one was used by the creators. |
|
Registered Member
|
Why is that? If the signature of the whole ISO is okay, doesn't the download have to be correct? GPG checks the .sig-file with the public key 075E1D76 and checks the .iso with the signature. Getting a „WRONG Signature“-error, I could not determine if the download had a bit-flip or if someone hijacked the server and placed a corrupted ISO. Either way I would be warned. If there is no other reason to do it doublefold, I prefer the Ubuntu way: A SHA256SUM-file containing the hashes which is signed via a SHA256SUM.gpg. Saves time:
Less time consuming:
Of course checksumming takes longer with the kubuntu-ISO as it is bigger. |
|
If the signature-verification is successful, You are right.
But if the signature-verfication is not successful, then You must have a way to tell WHY. Could be the signature. But who knows? Maybe it's only a faulty download or a faulty disk. The whole point here is: What to do next, if the signature-verification is _NOT_ successful. |
|
Registered Member
|
|
|
Registered Member
|
I have always problem verifying checksum with dolphin (wrong, not matching checksum): why?
|
Page 1 of 1 (8 posts)
Bookmarks
Who is online
Registered users: Bing [Bot], Google [Bot], kesang, Yahoo [Bot]
