Re: [gentoo-user] ISO verification question.

[Michael <confabulate@kintzios.com>]

[-- Attachment #1: Type: text/plain, Size: 2980 bytes --]

Hi Γιώργος,

On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> Hi!  :-)
> 
> I just downloaded the minimal installation ISO and I was trying the
> verification instructions.
> I admit that I'm not any kind of gpg expert, so the results are
> somewhat confusing to me.
> Can someone shed some light on them?
> 
> Here's console's output:
> >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> Weekly Release Key) <releng@gentoo.org>" [unknown]

This is telling you the 'install-amd64-
minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the 
various files listed in it, has a valid signature - i.e. the hashes of these 
files have not been tampered with and they have been signed by the owner of 
the Gentoo Release Engineering key.

Have a look here for the published developer keys:

https://wiki.gentoo.org/wiki/Project:RelEng


> gpg: WARNING: This key is not certified with a trusted signature!

This is telling you the above public key has not been marked as trusted in 
your own gpg keyring.


> gpg:          There is no indication that the signature belongs to the
> owner.

This is to be expected, unless you have checked the fingerprint of the 
imported key yourself against the keys published in the URL I provided above 
and thereafter edited the key's level of trust to mark it as trusted in your 
gpg keyring;  e.g. you'd need to run:

gpg --edit-key <KEY ID>

and follow the options available for this gpg subcommand to edit the key's 
trust level.  This is not necessary for a key you'll only use once, as long as 
you satisfy yourself the key fingerprint below matches what is published on 
the RelEng project page.


> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> 043D gpg: WARNING: not a detached signature; file
> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> 
> and:
> >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> install-amd64-minimal-20201222T005811Z.iso: OK
> install-amd64-minimal-20201222T005811Z.iso: FAILED
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> sha512sum: WARNING: 14 lines are improperly formatted
> sha512sum: WARNING: 2 computed checksums did NOT match
> 
> 
> TIA!  :-)
> Giorgos.
> .

So the above output checked the sha512 hashes of all listed files and found 
some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso' 
for your installation.  The failed checks above refer to a different hash e.g. 
sha256.

HTH.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]