public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] ISO verification question.
@ 2020-12-23 20:00 Γιώργος Κωστόπουλος
  2020-12-24  0:34 ` Michael
  0 siblings, 1 reply; 6+ messages in thread
From: Γιώργος Κωστόπουλος @ 2020-12-23 20:00 UTC (permalink / raw
  To: gentoo-user

Hi!  :-)

I just downloaded the minimal installation ISO and I was trying the
verification instructions.
I admit that I'm not any kind of gpg expert, so the results are
somewhat confusing to me.
Can someone shed some light on them?

Here's console's output:
>gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
gpg: Signature made Tue Dec 22 17:01:06 2020 EET
gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated
Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
    Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6 043D
gpg: WARNING: not a detached signature; file
'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>
and:

>sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
install-amd64-minimal-20201222T005811Z.iso: OK
install-amd64-minimal-20201222T005811Z.iso: FAILED
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
sha512sum: WARNING: 14 lines are improperly formatted
sha512sum: WARNING: 2 computed checksums did NOT match
>

TIA!  :-)
Giorgos.
.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] ISO verification question.
  2020-12-23 20:00 [gentoo-user] ISO verification question Γιώργος Κωστόπουλος
@ 2020-12-24  0:34 ` Michael
  2020-12-24  2:29   ` Γιώργος Κωστόπουλος
  0 siblings, 1 reply; 6+ messages in thread
From: Michael @ 2020-12-24  0:34 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2980 bytes --]

Hi Γιώργος,

On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> Hi!  :-)
> 
> I just downloaded the minimal installation ISO and I was trying the
> verification instructions.
> I admit that I'm not any kind of gpg expert, so the results are
> somewhat confusing to me.
> Can someone shed some light on them?
> 
> Here's console's output:
> >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> Weekly Release Key) <releng@gentoo.org>" [unknown]

This is telling you the 'install-amd64-
minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the 
various files listed in it, has a valid signature - i.e. the hashes of these 
files have not been tampered with and they have been signed by the owner of 
the Gentoo Release Engineering key.

Have a look here for the published developer keys:

https://wiki.gentoo.org/wiki/Project:RelEng


> gpg: WARNING: This key is not certified with a trusted signature!

This is telling you the above public key has not been marked as trusted in 
your own gpg keyring.


> gpg:          There is no indication that the signature belongs to the
> owner.

This is to be expected, unless you have checked the fingerprint of the 
imported key yourself against the keys published in the URL I provided above 
and thereafter edited the key's level of trust to mark it as trusted in your 
gpg keyring;  e.g. you'd need to run:

gpg --edit-key <KEY ID>

and follow the options available for this gpg subcommand to edit the key's 
trust level.  This is not necessary for a key you'll only use once, as long as 
you satisfy yourself the key fingerprint below matches what is published on 
the RelEng project page.


> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> 043D gpg: WARNING: not a detached signature; file
> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> 
> and:
> >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> install-amd64-minimal-20201222T005811Z.iso: OK
> install-amd64-minimal-20201222T005811Z.iso: FAILED
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> sha512sum: WARNING: 14 lines are improperly formatted
> sha512sum: WARNING: 2 computed checksums did NOT match
> 
> 
> TIA!  :-)
> Giorgos.
> .

So the above output checked the sha512 hashes of all listed files and found 
some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso' 
for your installation.  The failed checks above refer to a different hash e.g. 
sha256.

HTH.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] ISO verification question.
  2020-12-24  0:34 ` Michael
@ 2020-12-24  2:29   ` Γιώργος Κωστόπουλος
  2020-12-24  7:31     ` bobwxc
  2020-12-24 10:36     ` Michael
  0 siblings, 2 replies; 6+ messages in thread
From: Γιώργος Κωστόπουλος @ 2020-12-24  2:29 UTC (permalink / raw
  To: gentoo-user

Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
<confabulate@kintzios.com> έγραψε:
>
> Hi Γιώργος,
>
> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> > Hi!  :-)
> >
> > I just downloaded the minimal installation ISO and I was trying the
> > verification instructions.
> > I admit that I'm not any kind of gpg expert, so the results are
> > somewhat confusing to me.
> > Can someone shed some light on them?
> >
> > Here's console's output:
> > >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> > gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> > gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> > Weekly Release Key) <releng@gentoo.org>" [unknown]
>
> This is telling you the 'install-amd64-
> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
> various files listed in it, has a valid signature - i.e. the hashes of these
> files have not been tampered with and they have been signed by the owner of
> the Gentoo Release Engineering key.
>
> Have a look here for the published developer keys:
>
> https://wiki.gentoo.org/wiki/Project:RelEng
>
>
> > gpg: WARNING: This key is not certified with a trusted signature!
>
> This is telling you the above public key has not been marked as trusted in
> your own gpg keyring.
>
>
> > gpg:          There is no indication that the signature belongs to the
> > owner.
>
> This is to be expected, unless you have checked the fingerprint of the
> imported key yourself against the keys published in the URL I provided above
> and thereafter edited the key's level of trust to mark it as trusted in your
> gpg keyring;  e.g. you'd need to run:
>
> gpg --edit-key <KEY ID>
>
> and follow the options available for this gpg subcommand to edit the key's
> trust level.  This is not necessary for a key you'll only use once, as long as
> you satisfy yourself the key fingerprint below matches what is published on
> the RelEng project page.
>
>
> > Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> > 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> > 043D gpg: WARNING: not a detached signature; file
> > 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> >
> > and:
> > >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > install-amd64-minimal-20201222T005811Z.iso: OK
> > install-amd64-minimal-20201222T005811Z.iso: FAILED
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> > sha512sum: WARNING: 14 lines are improperly formatted
> > sha512sum: WARNING: 2 computed checksums did NOT match
> >
> >
> > TIA!  :-)
> > Giorgos.
> > .
>
> So the above output checked the sha512 hashes of all listed files and found
> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
> for your installation.  The failed checks above refer to a different hash e.g.
> sha256.
>
> HTH.

THANKS Michael for your help!!!

What confused me, was the "failed" results and the warnings of the
sha512sum  command.

THANKS AGAIN for the clarification!!!  :-)
G.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] ISO verification question.
  2020-12-24  2:29   ` Γιώργος Κωστόπουλος
@ 2020-12-24  7:31     ` bobwxc
  2020-12-24 12:36       ` David Haller
  2020-12-24 10:36     ` Michael
  1 sibling, 1 reply; 6+ messages in thread
From: bobwxc @ 2020-12-24  7:31 UTC (permalink / raw
  To: gentoo-user


[-- Attachment #1.1: Type: text/plain, Size: 5054 bytes --]

在 2020/12/24 上午10:29, Γιώργος Κωστόπουλος 写道:
> Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
> <confabulate@kintzios.com> έγραψε:
>> Hi Γιώργος,
>>
>> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
>>> Hi!  :-)
>>>
>>> I just downloaded the minimal installation ISO and I was trying the
>>> verification instructions.
>>> I admit that I'm not any kind of gpg expert, so the results are
>>> somewhat confusing to me.
>>> Can someone shed some light on them?
>>>
>>> Here's console's output:
>>>> gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>>> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
>>> gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
>>> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
>>> Weekly Release Key) <releng@gentoo.org>" [unknown]
>> This is telling you the 'install-amd64-
>> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
>> various files listed in it, has a valid signature - i.e. the hashes of these
>> files have not been tampered with and they have been signed by the owner of
>> the Gentoo Release Engineering key.
>>
>> Have a look here for the published developer keys:
>>
>> https://wiki.gentoo.org/wiki/Project:RelEng
>>
>>
>>> gpg: WARNING: This key is not certified with a trusted signature!
>> This is telling you the above public key has not been marked as trusted in
>> your own gpg keyring.
>>
>>
>>> gpg:          There is no indication that the signature belongs to the
>>> owner.
>> This is to be expected, unless you have checked the fingerprint of the
>> imported key yourself against the keys published in the URL I provided above
>> and thereafter edited the key's level of trust to mark it as trusted in your
>> gpg keyring;  e.g. you'd need to run:
>>
>> gpg --edit-key <KEY ID>
>>
>> and follow the options available for this gpg subcommand to edit the key's
>> trust level.  This is not necessary for a key you'll only use once, as long as
>> you satisfy yourself the key fingerprint below matches what is published on
>> the RelEng project page.
>>
>>
>>> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
>>> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
>>> 043D gpg: WARNING: not a detached signature; file
>>> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>>>
>>> and:
>>>> sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>>> install-amd64-minimal-20201222T005811Z.iso: OK
>>> install-amd64-minimal-20201222T005811Z.iso: FAILED
>>> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
>>> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
>>> sha512sum: WARNING: 14 lines are improperly formatted
>>> sha512sum: WARNING: 2 computed checksums did NOT match
>>>
>>>
>>> TIA!  :-)
>>> Giorgos.
>>> .
>> So the above output checked the sha512 hashes of all listed files and found
>> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
>> for your installation.  The failed checks above refer to a different hash e.g.
>> sha256.
>>
>> HTH.
> THANKS Michael for your help!!!
>
> What confused me, was the "failed" results and the warnings of the
> sha512sum  command.
>
> THANKS AGAIN for the clarification!!!  :-)
> G.
The handbook said,

With the cryptographic signature validated, next verify the checksum to 
make sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile 
contains multiple hashing algorithms, so one of the methods to validate 
the right one is to first look at the checksum registered in 
the.DIGESTS.ascfile. For instance, to get the SHA512 checksum:

|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|

# SHA512 HASH
364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024  install-amd64-minimal-20141204.iso
--
# SHA512 HASH
0719a8954dc7432750de2e3076c8b843a2c79f5e60defe43fcca8c32ab26681dfb9898b102e211174a895ff4c8c41ddd9e9a00ad6434d36c68d74bd02f19b57f  install-amd64-minimal-20141204.iso.CONTENTS

In the above output, two SHA512 checksums are shown - one for 
theinstall-amd64-minimal-20141204.isofile and one for its 
accompanying.CONTENTSfile. Only the first checksum is of interest, as it 
needs to be compared with the calculated SHA512 checksum which can be 
generated as follows:

|user $||sha512sum install-amd64-minimal-20141204.iso|

364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024  install-amd64-minimal-20141204.iso

As both checksums match, the file is not corrupted and the installation 
can continue.


you just missed to grep sha512 hash from the file :-)
so get some results of un-related lines.

-- 
bobwxc



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] ISO verification question.
  2020-12-24  2:29   ` Γιώργος Κωστόπουλος
  2020-12-24  7:31     ` bobwxc
@ 2020-12-24 10:36     ` Michael
  1 sibling, 0 replies; 6+ messages in thread
From: Michael @ 2020-12-24 10:36 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

On Thursday, 24 December 2020 02:29:51 GMT Γιώργος Κωστόπουλος wrote:

> THANKS Michael for your help!!!
> 
> What confused me, was the "failed" results and the warnings of the
> sha512sum  command.
> 
> THANKS AGAIN for the clarification!!!  :-)
> G.

You're welcome.

The command 'sha512sum -c' you ran succeeded in checking any sha512 hashes in 
the file and reported "OK".  I just had a look at the contents of this file. 
The other lines, for which the sha512 check reports a "FAILED" warning use the 
whirlpool hash.  To check the whirlpool hashes of the files you can run:

whirlpool-hash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

The lines containing the sha512 hashes will now show "FAILED".  If you want to 
check all hashes in one go, you can use the rhash (Recursive  Hasher) command:

rhash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] ISO verification question.
  2020-12-24  7:31     ` bobwxc
@ 2020-12-24 12:36       ` David Haller
  0 siblings, 0 replies; 6+ messages in thread
From: David Haller @ 2020-12-24 12:36 UTC (permalink / raw
  To: gentoo-user

Hello,

On Thu, 24 Dec 2020, bobwxc wrote:
>With the cryptographic signature validated, next verify the checksum to make
>sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile contains
>multiple hashing algorithms, so one of the methods to validate the right one
>is to first look at the checksum registered in the.DIGESTS.ascfile. For
>instance, to get the SHA512 checksum:
>
>|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|
[..]
>As both checksums match, the file is not corrupted and the installation can
>continue.

It's easier not to compare manually:

$ grep -A1 SHA512 install-....iso.DIGESTS | sha512sum -c -

Analog for whirlpool:

$ grep -A1 WHIRLPOOL install-....iso.DIGESTS | whirlpool-hash -c -

HTH,
-dnh

-- 
To resist the influence of others, knowledge of one's self is
most important.   -- Teal'C, Stargate SG-1, 9x14 - Stronghold


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-12-24 18:54 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-23 20:00 [gentoo-user] ISO verification question Γιώργος Κωστόπουλος
2020-12-24  0:34 ` Michael
2020-12-24  2:29   ` Γιώργος Κωστόπουλος
2020-12-24  7:31     ` bobwxc
2020-12-24 12:36       ` David Haller
2020-12-24 10:36     ` Michael

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox