Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Issue finding pgp signing key for Debian 11
-
- Posts: 4
- Joined: 2021-09-16 20:11
- Has thanked: 4 times
Issue finding pgp signing key for Debian 11
Hello all, this is my first post! I'm happy to meet you all and thanks for all the help in advance. I hope to one day help others as others have helped me.
I'm currently on Windows 10 and using Kleopatra to verify the Debian 11 iso.
I've just downloaded the amd64 iso.
I've copied the signature listed on the website next to the download and saved it in the same directory as the iso as "debian-11.0.0-amd64-netinst.iso.asc"
I don't have the developers public key. (I have no idea where to find it and I've been searching but my google-fu is weak.)
I tried to verify the iso anyway and got the following output:
Verified 'debian-11.0.0-amd64-netinst.iso' with 'debian-11.0.0-amd64-netinst.iso.asc':
The data could not be verified.
Signature created on Saturday, August 14, 2021 4:22:04 PM
With unavailable certificate:
ID: 0xDA87E80D6294BE9B
You can search the certificate on a keyserver or import it from a file.
I then clicked "Search" to search the keyserver for the appropriate key. This failed.
I then googled and found the following website to search for the key. https://db.debian.org/
Searching for 0xDA87E80D6294BE9B, DA87E80D6294BE9B, or DA87 E80D 6294 BE9B did not return any results.
Please help me figure out how to identify who the developer who signed the Debian 11 iso is and how to locate their public key so I can verify my iso before I install it.
Thanks again in advance for the help.
I'm currently on Windows 10 and using Kleopatra to verify the Debian 11 iso.
I've just downloaded the amd64 iso.
I've copied the signature listed on the website next to the download and saved it in the same directory as the iso as "debian-11.0.0-amd64-netinst.iso.asc"
I don't have the developers public key. (I have no idea where to find it and I've been searching but my google-fu is weak.)
I tried to verify the iso anyway and got the following output:
Verified 'debian-11.0.0-amd64-netinst.iso' with 'debian-11.0.0-amd64-netinst.iso.asc':
The data could not be verified.
Signature created on Saturday, August 14, 2021 4:22:04 PM
With unavailable certificate:
ID: 0xDA87E80D6294BE9B
You can search the certificate on a keyserver or import it from a file.
I then clicked "Search" to search the keyserver for the appropriate key. This failed.
I then googled and found the following website to search for the key. https://db.debian.org/
Searching for 0xDA87E80D6294BE9B, DA87E80D6294BE9B, or DA87 E80D 6294 BE9B did not return any results.
Please help me figure out how to identify who the developer who signed the Debian 11 iso is and how to locate their public key so I can verify my iso before I install it.
Thanks again in advance for the help.
Re: Issue finding pgp signing key for Debian 11
Hi
Let me offer a simple way (hopefully)
first go back to the original download site if you can remember it.
I do not know which one you used so give a mirror australian site as an example
http://debian.mirror.digitalpacific.com ... 64/iso-cd/
Look at the files at your original download site.
Download the one called SHA256SUMS which should be the same size as my example of 302 bytes.
Open it with a text editor, with luck it will show......and leave the text file open please.
Now on W10 use your file manager to navigate to the iso download.
Assuming you are Right handed RH click on that iso
Select Open command window here
W10 should have a built in command called CertUtil
so on W10 click the select all button and paste the following into that command box
With luck it will generate a hash value using SHA256 for that iso. You then compare it to your text editor open for the other downloads and it should match.
There are other ways of doing it.....but essentially if you went to a real debian site, and have truly downloaded a real debian iso.....this is a faster way to verify the download is correct.
Any change in the iso....generates a different hash value.
I cheated off a Linux Mint post but it info might mislead the poster
Good luck
Let me offer a simple way (hopefully)
first go back to the original download site if you can remember it.
I do not know which one you used so give a mirror australian site as an example
http://debian.mirror.digitalpacific.com ... 64/iso-cd/
Look at the files at your original download site.
Download the one called SHA256SUMS which should be the same size as my example of 302 bytes.
Open it with a text editor, with luck it will show......and leave the text file open please.
But do not trust me....you must trust your original site OK.ae6d563d2444665316901fe7091059ac34b8f67ba30f9159f7cef7d2fdc5bf8a debian-11.0.0-amd64-netinst.iso
Now on W10 use your file manager to navigate to the iso download.
Assuming you are Right handed RH click on that iso
Select Open command window here
W10 should have a built in command called CertUtil
so on W10 click the select all button and paste the following into that command box
Code: Select all
CertUtil -hashfile debian-11.0.0-amd64-netinst.iso SHA256
There are other ways of doing it.....but essentially if you went to a real debian site, and have truly downloaded a real debian iso.....this is a faster way to verify the download is correct.
Any change in the iso....generates a different hash value.
I cheated off a Linux Mint post but it info might mislead the poster
Good luck
- sunrat
- Administrator
- Posts: 6470
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 117 times
- Been thanked: 474 times
Re: Issue finding pgp signing key for Debian 11
@greg9 PGP signing keys are not the same as sha256sums.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: Issue finding pgp signing key for Debian 11
found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
https://www.debian.org/CD/verify
resigned by AI ChatGPT
-
- Global Moderator
- Posts: 2931
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 72 times
- Been thanked: 401 times
Re: Issue finding pgp signing key for Debian 11
Just for the record (as reported by bw123):bw123 wrote: ↑2021-09-17 10:45 found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
Code: Select all
$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Re: Issue finding pgp signing key for Debian 11
My reply was poorly worded. I assumed that OP was still on W10 and I am not sure how a W10 user uses gpg.
So I offered an easier method IMHO.
my 2 cents worth
So I offered an easier method IMHO.
my 2 cents worth
-
- Posts: 4
- Joined: 2021-09-16 20:11
- Has thanked: 4 times
Re: Issue finding pgp signing key for Debian 11
Thank you that was helpful. I imported the pub keys from the debian key server, however I'm still having issues when I verify the signature.bw123 wrote: ↑2021-09-17 10:45 found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
These are the keys I have on my keychain:
gpg --list-keys
/home/zen/.gnupg/pubring.kbx
----------------------------
pub rsa4096 2021-09-20 [SC] [expires: 2022-XX-XX]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ultimate] Redacted <redacted@redacted.com>
sub rsa4096 2021-09-20 [E] [expires: 2022-XX-XX]
pub rsa4096 2009-10-03 [SC]
10460DAD76165AD81FBC0CE9988021A964E6EA7D
uid [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
pub rsa4096 2011-01-05 [SC]
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
uid [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
sub rsa4096 2011-01-05 [E]
pub rsa4096 2014-04-15 [SC]
F41D30342F3546695F65C66942468F4009EA8AC3
uid [ unknown] Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>
sub rsa4096 2014-04-15 [E]
This is the output I'm gettting:
gpg --verify debian-11.0.0-amd64-netinst.iso.sig
gpg: assuming signed data in 'debian-11.0.0-amd64-netinst.iso'
gpg: Signature made Sat 14 Aug 2021 04:22:04 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
This is the website I downloaded the iso from:
https://www.debian.org/download
These are the contents of debian-11.0.0-amd64-netinst.iso.sig:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAmEYJewACgkQ2ofoDWKU
vpuQ+Q/6AjblKBldcrEt0m+7j5LF/bdqDz6OBcn5IjSIS+fQQMIbbDTA1XSWzxe6
vHtAHTlmKlMVyJq4bbk24Lv+ORnvmMyMQbyZgZLWuycJybM74F/L0q2lxo8zHzDZ
LZYeWkuFz1bZwDjU1aCN9JpyOLVvKV5FxK6PXcL8qY+GswQrbEBJ8ztd8GTf0CEv
7uFFiLriYYyjo9A/s2clg7Dq5prBjf7luGjpm/a68ExXPUMdNgg0nrMGFn0A+9gg
uS3Z+EcL7UaP+9NJ1wTm/cmXKPeHQPWJUq1RIBOVOJLvRAdqq1yL+lyevuUY9wo8
Uel9DS1HaxTCRjS3g2KcGmW1wfWHVK2K+UTb2vY4t/ePaDwNq8xch26jEcYtC0uM
QXqA5KTknK7/DUek5R3psI0ULE3NZiU7RshN5rJtoCLfTT3TPTc8ZPPLSoZmba8W
1Vu3gZqVfP/K+vDrEBGdXWuatoAfIlB//6UD/vSTE8Z/b3W1n1y/sL5nW5Y+U4TL
nQ5fOjlx25sZZ+bh4VViutFvM1XBxEbaO336tR6ESREsuOdcbjxxP+ghlVTm145T
pICDm7R/X/8wVKspfZpFQSU5m16eeJCwIB8r0gB6M04dfJODWlmCmPd5STnIVvOJ
wNtK+SnVymW8ClhHBo/iUgsNgAZPb4Wtpi57c1oD5NZot8dzlMU=
=Ojqd
-----END PGP SIGNATURE-----
Thanks again for the help.
P.S. I moved over from Win 10 and am now on Garuda Dragonized Linux.
- sunrat
- Administrator
- Posts: 6470
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 117 times
- Been thanked: 474 times
Re: Issue finding pgp signing key for Debian 11
I did this yesterday for the first time ever. I found the Debian wiki page to be a bit light on instructions but the procedure is trivially easy and described well on this page - How to Verify Authenticity of Linux Software with Digital Signatures
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
-
- Global Moderator
- Posts: 2931
- Joined: 2014-07-20 18:12
- Location: Europe
- Has thanked: 72 times
- Been thanked: 401 times
Re: Issue finding pgp signing key for Debian 11
Hello,
don't worry, your suggestion is usually the more common way to verify "on-the-fly" the integrity of a downloaded ISO (because Debian repositories are often considered "trusted by default"), but our OP wanted to verify the ISO integrity (using the hash sum), the signature of the verified ISO and the authenticity of used signing key, too. I agree with you that with Windows could be difficult to obtain "free" (as in freedom) binaries/programs from trusted sources as for Debian GNU/Linux. So, it's difficult to give a safe and simple advice.
So that, the signature is good, but the used keys seems not to be in a chain of trust (it's not signed by others). In your check you obtain "BAD signature" probably because you didn't import the signing key.
@greg9:
don't worry, your suggestion is usually the more common way to verify "on-the-fly" the integrity of a downloaded ISO (because Debian repositories are often considered "trusted by default"), but our OP wanted to verify the ISO integrity (using the hash sum), the signature of the verified ISO and the authenticity of used signing key, too. I agree with you that with Windows could be difficult to obtain "free" (as in freedom) binaries/programs from trusted sources as for Debian GNU/Linux. So, it's difficult to give a safe and simple advice.
@Brutalation: I obtain something different:Brutalation wrote: ↑2021-09-20 21:56 This is the output I'm gettting:Code: Select all
gpg --verify debian-11.0.0-amd64-netinst.iso.sig gpg: assuming signed data in 'debian-11.0.0-amd64-netinst.iso' gpg: Signature made Sat 14 Aug 2021 04:22:04 PM EDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
Code: Select all
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.0.0-amd64-netinst.iso
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS.sign
$ gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$ gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Sat Aug 14 22:22:03 2021 CEST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
-
- Posts: 4
- Joined: 2021-09-16 20:11
- Has thanked: 4 times
Re: Issue finding pgp signing key for Debian 11
Ah. I see where I went wrong. I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine. Thanks so much for the help from everyone in hunting down the solution.Aki wrote: ↑2021-09-21 05:43 I obtain something different:So that, the signature is good, but the used keys seems not to be in a chain of trust (it's not signed by others). In your check you obtain "BAD signature" probably because you didn't import the signing key.Code: Select all
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.0.0-amd64-netinst.iso $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/c $ gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --verify SHA256SUMS.sign SHA256SUMS gpg: Signature made Sat Aug 14 22:22:03 2021 CEST gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
- sunrat
- Administrator
- Posts: 6470
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 117 times
- Been thanked: 474 times
Re: Issue finding pgp signing key for Debian 11
Hmmm, the file on the server is called "SHA256SUMS.sign" so did you rename it in the first place?Brutalation wrote: ↑2021-09-21 14:47... I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine.
Good you worked it out eventually!
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
-
- Posts: 4
- Joined: 2021-09-16 20:11
- Has thanked: 4 times
Re: Issue finding pgp signing key for Debian 11
I actually copy/pasted the text from the webpage after I clicked on signature to a fresh txt file I named myself. I just assumed there were 2 forms of verification for the iso and not a checksums file and a signature for the check sums. In my defense it wasn't immediately clear that was the case on the webpage, but I feel dumb for not realizing this sooner.sunrat wrote: ↑2021-09-21 15:17Hmmm, the file on the server is called "SHA256SUMS.sign" so did you rename it in the first place?Brutalation wrote: ↑2021-09-21 14:47... I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine.
Good you worked it out eventually!
I'm just glad I'm actually able to verify downloads properly moving forward.