Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to verify iso image on windows, using gpg/gpa

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
theyear1994
Posts: 3
Joined: 2020-03-25 08:17

How to verify iso image on windows, using gpg/gpa

#1 Post by theyear1994 »

Hello.

I'm having some difficulty to verifying the iso image using gpg/gpa key manager. I tried to find a concise guide on how to do it, but it's all vague. I found a guide on youtube, who showed how to verify the iso image using gpg/gpa key manager, but when I try to retrieve the keys, it can't find any.

When I try to verify using gpg:

Code: Select all

gpg --verify SHA512SUM.sig SHA512SUM.txt
This is the output I get:

Code: Select all

gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
Could someone help me figure this out?

Thank you.
Top
User avatar
Bloom
df -h | grep > 90TiB
df -h | grep > 90TiB
Posts: 504
Joined: 2017-11-11 12:23
Been thanked: 26 times

Re: How to verify iso image on windows, using gpg/gpa

#2 Post by Bloom »

You should use sha512sum:

Code: Select all

sha512sum -c sigfile
OR

Code: Select all

sha512sum isofile
to generate a sha512 checksum for an ISO which you can compare with the key given on the website or in a text file.
Top
theyear1994
Posts: 3
Joined: 2020-03-25 08:17

Re: How to verify iso image on windows, using gpg/gpa

#3 Post by theyear1994 »

Bloom wrote:You should use sha512sum:

Code: Select all

sha512sum -c sigfile
OR

Code: Select all

sha512sum isofile
to generate a sha512 checksum for an ISO which you can compare with the key given on the website or in a text file.
Hi.
Can you walk me through on what I should do?
Top
User avatar
Bloom
df -h | grep > 90TiB
df -h | grep > 90TiB
Posts: 504
Joined: 2017-11-11 12:23
Been thanked: 26 times

Re: How to verify iso image on windows, using gpg/gpa

#4 Post by Bloom »

First determine which key to use to check the digital signature.

Code: Select all

gpg --verify SHA512SUM.sig
That produces the error you already speicifed:

Code: Select all

gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
You need to copy the string behind 'RSA key' to your clipboard. Then you can fetch the proper key for that key ID:

Code: Select all

gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
You should get a confirmation message that the proper key has been imported.
Now you can check the validity of the signature file and of the ISO key file

Code: Select all

gpg --verify SHA512SUMS.sign SHA512SUMS
This should report that the digital signature is valid and uncompromised. Furthermore, it should report that the contents of the SHA512SUMS file are also uncompromised and valid.
It looks a bit like this (the following doesn't show YOUR key ID and another digital fingerprint, but yours should look like this but with the proper values:

Code: Select all

gpg: Signature made wo 25 mrt 2020 10:31:37 CET
gpg:                using RSA key F41D30342F3546695F65C66942468F4009EA8AC3
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
Now, you are ready to check the validity of the ISO file you downloaded:

Code: Select all

sha512sum -c SHA512SUMS
This assumes that the downloaded iso is in the same directory and has the same name as is in the SHA512SUMS file. If it is not, rename the file to match. DO NOT EDIT the SHA512SUMS file as it will no longer be uncompromised then.
The program will take a while to read the entire ISO file and compute the key.
It should return with the name of your ISO file followed by "good" if both signature keys match or "bad" if there is a mismatch. In the latter case, DO NOT use that ISO.
Top
theyear1994
Posts: 3
Joined: 2020-03-25 08:17

Re: How to verify iso image on windows, using gpg/gpa

#5 Post by theyear1994 »

Bloom wrote:First determine which key to use to check the digital signature.

Code: Select all

gpg --verify SHA512SUM.sig
That produces the error you already speicifed:

Code: Select all

gpg: Signature made 02/09/20 02:01:10 GMT Standard Time
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
You need to copy the string behind 'RSA key' to your clipboard. Then you can fetch the proper key for that key ID:

Code: Select all

gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
You should get a confirmation message that the proper key has been imported.
Now you can check the validity of the signature file and of the ISO key file

Code: Select all

gpg --verify SHA512SUMS.sign SHA512SUMS
This should report that the digital signature is valid and uncompromised. Furthermore, it should report that the contents of the SHA512SUMS file are also uncompromised and valid.
It looks a bit like this (the following doesn't show YOUR key ID and another digital fingerprint, but yours should look like this but with the proper values:

Code: Select all

gpg: Signature made wo 25 mrt 2020 10:31:37 CET
gpg:                using RSA key F41D30342F3546695F65C66942468F4009EA8AC3
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
Now, you are ready to check the validity of the ISO file you downloaded:

Code: Select all

sha512sum -c SHA512SUMS
This assumes that the downloaded iso is in the same directory and has the same name as is in the SHA512SUMS file. If it is not, rename the file to match. DO NOT EDIT the SHA512SUMS file as it will no longer be uncompromised then.
The program will take a while to read the entire ISO file and compute the key.
It should return with the name of your ISO file followed by "good" if both signature keys match or "bad" if there is a mismatch. In the latter case, DO NOT use that ISO.
Hi.
Thank you for clear explanation. I just have an issue on the last part...

Code: Select all

sha512sum -c SHA512SUM
I get an error "sha512sum term is not recognised". Am I suppose to enter and run this command on the powershell?

Thank you.
Top
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 133 times

Re: How to verify iso image on windows, using gpg/gpa

#6 Post by Head_on_a_Stick »

theyear1994 wrote:

Code: Select all

sha512sum -c SHA512SUM
I get an error "sha512sum term is not recognised". Am I suppose to enter and run this command on the powershell?
Replace SHA512SUM with the name of the actual sum file.
deadbang
Top
User avatar
Bloom
df -h | grep > 90TiB
df -h | grep > 90TiB
Posts: 504
Joined: 2017-11-11 12:23
Been thanked: 26 times

Re: How to verify iso image on windows, using gpg/gpa

#7 Post by Bloom »

The instructions are for Linux and not for Windows.
SHA512SUM is the name of the checksum file for a Debian iso file.
Top
Post Reply

Return to “Installation”