* [gentoo-user] ISO verification question.
@ 2020-12-23 20:00 Γιώργος Κωστόπουλος
2020-12-24 0:34 ` Michael
0 siblings, 1 reply; 6+ messages in thread
From: Γιώργος Κωστόπουλος @ 2020-12-23 20:00 UTC (permalink / raw
To: gentoo-user
Hi! :-)
I just downloaded the minimal installation ISO and I was trying the
verification instructions.
I admit that I'm not any kind of gpg expert, so the results are
somewhat confusing to me.
Can someone shed some light on them?
Here's console's output:
>gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
gpg: Signature made Tue Dec 22 17:01:06 2020 EET
gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated
Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 043D
gpg: WARNING: not a detached signature; file
'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>
and:
>sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
install-amd64-minimal-20201222T005811Z.iso: OK
install-amd64-minimal-20201222T005811Z.iso: FAILED
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
sha512sum: WARNING: 14 lines are improperly formatted
sha512sum: WARNING: 2 computed checksums did NOT match
>
TIA! :-)
Giorgos.
.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] ISO verification question.
2020-12-23 20:00 [gentoo-user] ISO verification question Γιώργος Κωστόπουλος
@ 2020-12-24 0:34 ` Michael
2020-12-24 2:29 ` Γιώργος Κωστόπουλος
0 siblings, 1 reply; 6+ messages in thread
From: Michael @ 2020-12-24 0:34 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2980 bytes --]
Hi Γιώργος,
On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> Hi! :-)
>
> I just downloaded the minimal installation ISO and I was trying the
> verification instructions.
> I admit that I'm not any kind of gpg expert, so the results are
> somewhat confusing to me.
> Can someone shed some light on them?
>
> Here's console's output:
> >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>
> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> Weekly Release Key) <releng@gentoo.org>" [unknown]
This is telling you the 'install-amd64-
minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
various files listed in it, has a valid signature - i.e. the hashes of these
files have not been tampered with and they have been signed by the owner of
the Gentoo Release Engineering key.
Have a look here for the published developer keys:
https://wiki.gentoo.org/wiki/Project:RelEng
> gpg: WARNING: This key is not certified with a trusted signature!
This is telling you the above public key has not been marked as trusted in
your own gpg keyring.
> gpg: There is no indication that the signature belongs to the
> owner.
This is to be expected, unless you have checked the fingerprint of the
imported key yourself against the keys published in the URL I provided above
and thereafter edited the key's level of trust to mark it as trusted in your
gpg keyring; e.g. you'd need to run:
gpg --edit-key <KEY ID>
and follow the options available for this gpg subcommand to edit the key's
trust level. This is not necessary for a key you'll only use once, as long as
you satisfy yourself the key fingerprint below matches what is published on
the RelEng project page.
> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E
> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6
> 043D gpg: WARNING: not a detached signature; file
> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>
> and:
> >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>
> install-amd64-minimal-20201222T005811Z.iso: OK
> install-amd64-minimal-20201222T005811Z.iso: FAILED
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> sha512sum: WARNING: 14 lines are improperly formatted
> sha512sum: WARNING: 2 computed checksums did NOT match
>
>
> TIA! :-)
> Giorgos.
> .
So the above output checked the sha512 hashes of all listed files and found
some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
for your installation. The failed checks above refer to a different hash e.g.
sha256.
HTH.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] ISO verification question.
2020-12-24 0:34 ` Michael
@ 2020-12-24 2:29 ` Γιώργος Κωστόπουλος
2020-12-24 7:31 ` bobwxc
2020-12-24 10:36 ` Michael
0 siblings, 2 replies; 6+ messages in thread
From: Γιώργος Κωστόπουλος @ 2020-12-24 2:29 UTC (permalink / raw
To: gentoo-user
Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
<confabulate@kintzios.com> έγραψε:
>
> Hi Γιώργος,
>
> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> > Hi! :-)
> >
> > I just downloaded the minimal installation ISO and I was trying the
> > verification instructions.
> > I admit that I'm not any kind of gpg expert, so the results are
> > somewhat confusing to me.
> > Can someone shed some light on them?
> >
> > Here's console's output:
> > >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> > gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> > gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> > Weekly Release Key) <releng@gentoo.org>" [unknown]
>
> This is telling you the 'install-amd64-
> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
> various files listed in it, has a valid signature - i.e. the hashes of these
> files have not been tampered with and they have been signed by the owner of
> the Gentoo Release Engineering key.
>
> Have a look here for the published developer keys:
>
> https://wiki.gentoo.org/wiki/Project:RelEng
>
>
> > gpg: WARNING: This key is not certified with a trusted signature!
>
> This is telling you the above public key has not been marked as trusted in
> your own gpg keyring.
>
>
> > gpg: There is no indication that the signature belongs to the
> > owner.
>
> This is to be expected, unless you have checked the fingerprint of the
> imported key yourself against the keys published in the URL I provided above
> and thereafter edited the key's level of trust to mark it as trusted in your
> gpg keyring; e.g. you'd need to run:
>
> gpg --edit-key <KEY ID>
>
> and follow the options available for this gpg subcommand to edit the key's
> trust level. This is not necessary for a key you'll only use once, as long as
> you satisfy yourself the key fingerprint below matches what is published on
> the RelEng project page.
>
>
> > Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E
> > 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6
> > 043D gpg: WARNING: not a detached signature; file
> > 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> >
> > and:
> > >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > install-amd64-minimal-20201222T005811Z.iso: OK
> > install-amd64-minimal-20201222T005811Z.iso: FAILED
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> > sha512sum: WARNING: 14 lines are improperly formatted
> > sha512sum: WARNING: 2 computed checksums did NOT match
> >
> >
> > TIA! :-)
> > Giorgos.
> > .
>
> So the above output checked the sha512 hashes of all listed files and found
> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
> for your installation. The failed checks above refer to a different hash e.g.
> sha256.
>
> HTH.
THANKS Michael for your help!!!
What confused me, was the "failed" results and the warnings of the
sha512sum command.
THANKS AGAIN for the clarification!!! :-)
G.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] ISO verification question.
2020-12-24 2:29 ` Γιώργος Κωστόπουλος
@ 2020-12-24 7:31 ` bobwxc
2020-12-24 12:36 ` David Haller
2020-12-24 10:36 ` Michael
1 sibling, 1 reply; 6+ messages in thread
From: bobwxc @ 2020-12-24 7:31 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1.1: Type: text/plain, Size: 5054 bytes --]
在 2020/12/24 上午10:29, Γιώργος Κωστόπουλος 写道:
> Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
> <confabulate@kintzios.com> έγραψε:
>> Hi Γιώργος,
>>
>> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
>>> Hi! :-)
>>>
>>> I just downloaded the minimal installation ISO and I was trying the
>>> verification instructions.
>>> I admit that I'm not any kind of gpg expert, so the results are
>>> somewhat confusing to me.
>>> Can someone shed some light on them?
>>>
>>> Here's console's output:
>>>> gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>>> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
>>> gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
>>> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
>>> Weekly Release Key) <releng@gentoo.org>" [unknown]
>> This is telling you the 'install-amd64-
>> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
>> various files listed in it, has a valid signature - i.e. the hashes of these
>> files have not been tampered with and they have been signed by the owner of
>> the Gentoo Release Engineering key.
>>
>> Have a look here for the published developer keys:
>>
>> https://wiki.gentoo.org/wiki/Project:RelEng
>>
>>
>>> gpg: WARNING: This key is not certified with a trusted signature!
>> This is telling you the above public key has not been marked as trusted in
>> your own gpg keyring.
>>
>>
>>> gpg: There is no indication that the signature belongs to the
>>> owner.
>> This is to be expected, unless you have checked the fingerprint of the
>> imported key yourself against the keys published in the URL I provided above
>> and thereafter edited the key's level of trust to mark it as trusted in your
>> gpg keyring; e.g. you'd need to run:
>>
>> gpg --edit-key <KEY ID>
>>
>> and follow the options available for this gpg subcommand to edit the key's
>> trust level. This is not necessary for a key you'll only use once, as long as
>> you satisfy yourself the key fingerprint below matches what is published on
>> the RelEng project page.
>>
>>
>>> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E
>>> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6
>>> 043D gpg: WARNING: not a detached signature; file
>>> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>>>
>>> and:
>>>> sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
>>> install-amd64-minimal-20201222T005811Z.iso: OK
>>> install-amd64-minimal-20201222T005811Z.iso: FAILED
>>> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
>>> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
>>> sha512sum: WARNING: 14 lines are improperly formatted
>>> sha512sum: WARNING: 2 computed checksums did NOT match
>>>
>>>
>>> TIA! :-)
>>> Giorgos.
>>> .
>> So the above output checked the sha512 hashes of all listed files and found
>> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
>> for your installation. The failed checks above refer to a different hash e.g.
>> sha256.
>>
>> HTH.
> THANKS Michael for your help!!!
>
> What confused me, was the "failed" results and the warnings of the
> sha512sum command.
>
> THANKS AGAIN for the clarification!!! :-)
> G.
The handbook said,
With the cryptographic signature validated, next verify the checksum to
make sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile
contains multiple hashing algorithms, so one of the methods to validate
the right one is to first look at the checksum registered in
the.DIGESTS.ascfile. For instance, to get the SHA512 checksum:
|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|
# SHA512 HASH
364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024 install-amd64-minimal-20141204.iso
--
# SHA512 HASH
0719a8954dc7432750de2e3076c8b843a2c79f5e60defe43fcca8c32ab26681dfb9898b102e211174a895ff4c8c41ddd9e9a00ad6434d36c68d74bd02f19b57f install-amd64-minimal-20141204.iso.CONTENTS
In the above output, two SHA512 checksums are shown - one for
theinstall-amd64-minimal-20141204.isofile and one for its
accompanying.CONTENTSfile. Only the first checksum is of interest, as it
needs to be compared with the calculated SHA512 checksum which can be
generated as follows:
|user $||sha512sum install-amd64-minimal-20141204.iso|
364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024 install-amd64-minimal-20141204.iso
As both checksums match, the file is not corrupted and the installation
can continue.
you just missed to grep sha512 hash from the file :-)
so get some results of un-related lines.
--
bobwxc
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] ISO verification question.
2020-12-24 2:29 ` Γιώργος Κωστόπουλος
2020-12-24 7:31 ` bobwxc
@ 2020-12-24 10:36 ` Michael
1 sibling, 0 replies; 6+ messages in thread
From: Michael @ 2020-12-24 10:36 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 918 bytes --]
On Thursday, 24 December 2020 02:29:51 GMT Γιώργος Κωστόπουλος wrote:
> THANKS Michael for your help!!!
>
> What confused me, was the "failed" results and the warnings of the
> sha512sum command.
>
> THANKS AGAIN for the clarification!!! :-)
> G.
You're welcome.
The command 'sha512sum -c' you ran succeeded in checking any sha512 hashes in
the file and reported "OK". I just had a look at the contents of this file.
The other lines, for which the sha512 check reports a "FAILED" warning use the
whirlpool hash. To check the whirlpool hashes of the files you can run:
whirlpool-hash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
The lines containing the sha512 hashes will now show "FAILED". If you want to
check all hashes in one go, you can use the rhash (Recursive Hasher) command:
rhash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] ISO verification question.
2020-12-24 7:31 ` bobwxc
@ 2020-12-24 12:36 ` David Haller
0 siblings, 0 replies; 6+ messages in thread
From: David Haller @ 2020-12-24 12:36 UTC (permalink / raw
To: gentoo-user
Hello,
On Thu, 24 Dec 2020, bobwxc wrote:
>With the cryptographic signature validated, next verify the checksum to make
>sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile contains
>multiple hashing algorithms, so one of the methods to validate the right one
>is to first look at the checksum registered in the.DIGESTS.ascfile. For
>instance, to get the SHA512 checksum:
>
>|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|
[..]
>As both checksums match, the file is not corrupted and the installation can
>continue.
It's easier not to compare manually:
$ grep -A1 SHA512 install-....iso.DIGESTS | sha512sum -c -
Analog for whirlpool:
$ grep -A1 WHIRLPOOL install-....iso.DIGESTS | whirlpool-hash -c -
HTH,
-dnh
--
To resist the influence of others, knowledge of one's self is
most important. -- Teal'C, Stargate SG-1, 9x14 - Stronghold
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-12-24 18:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-23 20:00 [gentoo-user] ISO verification question Γιώργος Κωστόπουλος
2020-12-24 0:34 ` Michael
2020-12-24 2:29 ` Γιώργος Κωστόπουλος
2020-12-24 7:31 ` bobwxc
2020-12-24 12:36 ` David Haller
2020-12-24 10:36 ` Michael
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox