How to verify iso image on windows, using gpg/gpa

Help with issues regarding installation of Debian

How to verify iso image on windows, using gpg/gpa

Postby theyear1994 » 2020-03-25 09:27

Hello.

I'm having some difficulty to verifying the iso image using gpg/gpa key manager. I tried to find a concise guide on how to do it, but it's all vague. I found a guide on youtube, who showed how to verify the iso image using gpg/gpa key manager, but when I try to retrieve the keys, it can't find any.

When I try to verify using gpg:

Code: Select all
gpg --verify SHA512SUM.sig SHA512SUM.txt


This is the output I get:

Code: Select all
gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key


Could someone help me figure this out?

Thank you.
theyear1994
 
Posts: 3
Joined: 2020-03-25 08:17

Re: How to verify iso image on windows, using gpg/gpa

Postby Bloom » 2020-03-25 09:42

You should use sha512sum:
Code: Select all
sha512sum -c sigfile

OR
Code: Select all
sha512sum isofile

to generate a sha512 checksum for an ISO which you can compare with the key given on the website or in a text file.
User avatar
Bloom
 
Posts: 291
Joined: 2017-11-11 12:23

Re: How to verify iso image on windows, using gpg/gpa

Postby theyear1994 » 2020-03-25 11:05

Bloom wrote:You should use sha512sum:
Code: Select all
sha512sum -c sigfile

OR
Code: Select all
sha512sum isofile

to generate a sha512 checksum for an ISO which you can compare with the key given on the website or in a text file.


Hi.
Can you walk me through on what I should do?
theyear1994
 
Posts: 3
Joined: 2020-03-25 08:17

Re: How to verify iso image on windows, using gpg/gpa

Postby Bloom » 2020-03-25 11:46

First determine which key to use to check the digital signature.
Code: Select all
gpg --verify SHA512SUM.sig

That produces the error you already speicifed:
Code: Select all
gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

You need to copy the string behind 'RSA key' to your clipboard. Then you can fetch the proper key for that key ID:
Code: Select all
gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B

You should get a confirmation message that the proper key has been imported.
Now you can check the validity of the signature file and of the ISO key file
Code: Select all
gpg --verify SHA512SUMS.sign SHA512SUMS

This should report that the digital signature is valid and uncompromised. Furthermore, it should report that the contents of the SHA512SUMS file are also uncompromised and valid.
It looks a bit like this (the following doesn't show YOUR key ID and another digital fingerprint, but yours should look like this but with the proper values:
Code: Select all
gpg: Signature made wo 25 mrt 2020 10:31:37 CET
gpg:                using RSA key F41D30342F3546695F65C66942468F4009EA8AC3
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3

Now, you are ready to check the validity of the ISO file you downloaded:
Code: Select all
sha512sum -c SHA512SUMS

This assumes that the downloaded iso is in the same directory and has the same name as is in the SHA512SUMS file. If it is not, rename the file to match. DO NOT EDIT the SHA512SUMS file as it will no longer be uncompromised then.
The program will take a while to read the entire ISO file and compute the key.
It should return with the name of your ISO file followed by "good" if both signature keys match or "bad" if there is a mismatch. In the latter case, DO NOT use that ISO.
User avatar
Bloom
 
Posts: 291
Joined: 2017-11-11 12:23

Re: How to verify iso image on windows, using gpg/gpa

Postby theyear1994 » 2020-03-25 14:49

Bloom wrote:First determine which key to use to check the digital signature.
Code: Select all
gpg --verify SHA512SUM.sig

That produces the error you already speicifed:
Code: Select all
gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key

You need to copy the string behind 'RSA key' to your clipboard. Then you can fetch the proper key for that key ID:
Code: Select all
gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B

You should get a confirmation message that the proper key has been imported.
Now you can check the validity of the signature file and of the ISO key file
Code: Select all
gpg --verify SHA512SUMS.sign SHA512SUMS

This should report that the digital signature is valid and uncompromised. Furthermore, it should report that the contents of the SHA512SUMS file are also uncompromised and valid.
It looks a bit like this (the following doesn't show YOUR key ID and another digital fingerprint, but yours should look like this but with the proper values:
Code: Select all
gpg: Signature made wo 25 mrt 2020 10:31:37 CET
gpg:                using RSA key F41D30342F3546695F65C66942468F4009EA8AC3
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3

Now, you are ready to check the validity of the ISO file you downloaded:
Code: Select all
sha512sum -c SHA512SUMS

This assumes that the downloaded iso is in the same directory and has the same name as is in the SHA512SUMS file. If it is not, rename the file to match. DO NOT EDIT the SHA512SUMS file as it will no longer be uncompromised then.
The program will take a while to read the entire ISO file and compute the key.
It should return with the name of your ISO file followed by "good" if both signature keys match or "bad" if there is a mismatch. In the latter case, DO NOT use that ISO.


Hi.
Thank you for clear explanation. I just have an issue on the last part...

Code: Select all
sha512sum -c SHA512SUM


I get an error "sha512sum term is not recognised". Am I suppose to enter and run this command on the powershell?

Thank you.
theyear1994
 
Posts: 3
Joined: 2020-03-25 08:17

Re: How to verify iso image on windows, using gpg/gpa

Postby Head_on_a_Stick » 2020-03-25 16:50

theyear1994 wrote:
Code: Select all
sha512sum -c SHA512SUM


I get an error "sha512sum term is not recognised". Am I suppose to enter and run this command on the powershell?

Replace SHA512SUM with the name of the actual sum file.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12492
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: How to verify iso image on windows, using gpg/gpa

Postby Bloom » 2020-03-25 17:29

The instructions are for Linux and not for Windows.
SHA512SUM is the name of the checksum file for a Debian iso file.
User avatar
Bloom
 
Posts: 291
Joined: 2017-11-11 12:23


Return to Installation

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable