Re: [gentoo-user] ISO verification question.

["Γιώργος Κωστόπουλος" <giorgosk67@gmail.com>]

Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
<confabulate@kintzios.com> έγραψε:
>
> Hi Γιώργος,
>
> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> > Hi!  :-)
> >
> > I just downloaded the minimal installation ISO and I was trying the
> > verification instructions.
> > I admit that I'm not any kind of gpg expert, so the results are
> > somewhat confusing to me.
> > Can someone shed some light on them?
> >
> > Here's console's output:
> > >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> > gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> > gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> > Weekly Release Key) <releng@gentoo.org>" [unknown]
>
> This is telling you the 'install-amd64-
> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
> various files listed in it, has a valid signature - i.e. the hashes of these
> files have not been tampered with and they have been signed by the owner of
> the Gentoo Release Engineering key.
>
> Have a look here for the published developer keys:
>
> https://wiki.gentoo.org/wiki/Project:RelEng
>
>
> > gpg: WARNING: This key is not certified with a trusted signature!
>
> This is telling you the above public key has not been marked as trusted in
> your own gpg keyring.
>
>
> > gpg:          There is no indication that the signature belongs to the
> > owner.
>
> This is to be expected, unless you have checked the fingerprint of the
> imported key yourself against the keys published in the URL I provided above
> and thereafter edited the key's level of trust to mark it as trusted in your
> gpg keyring;  e.g. you'd need to run:
>
> gpg --edit-key <KEY ID>
>
> and follow the options available for this gpg subcommand to edit the key's
> trust level.  This is not necessary for a key you'll only use once, as long as
> you satisfy yourself the key fingerprint below matches what is published on
> the RelEng project page.
>
>
> > Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> > 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> > 043D gpg: WARNING: not a detached signature; file
> > 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> >
> > and:
> > >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > install-amd64-minimal-20201222T005811Z.iso: OK
> > install-amd64-minimal-20201222T005811Z.iso: FAILED
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> > sha512sum: WARNING: 14 lines are improperly formatted
> > sha512sum: WARNING: 2 computed checksums did NOT match
> >
> >
> > TIA!  :-)
> > Giorgos.
> > .
>
> So the above output checked the sha512 hashes of all listed files and found
> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
> for your installation.  The failed checks above refer to a different hash e.g.
> sha256.
>
> HTH.

THANKS Michael for your help!!!

What confused me, was the "failed" results and the warnings of the
sha512sum  command.

THANKS AGAIN for the clarification!!!  :-)
G.