Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Issue finding pgp signing key for Debian 11

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
Brutalation
Posts: 4
Joined: 2021-09-16 20:11
Has thanked: 4 times

Issue finding pgp signing key for Debian 11

#1 Post by Brutalation »

Hello all, this is my first post! I'm happy to meet you all and thanks for all the help in advance. I hope to one day help others as others have helped me.

I'm currently on Windows 10 and using Kleopatra to verify the Debian 11 iso.
I've just downloaded the amd64 iso.
I've copied the signature listed on the website next to the download and saved it in the same directory as the iso as "debian-11.0.0-amd64-netinst.iso.asc"
I don't have the developers public key. (I have no idea where to find it and I've been searching but my google-fu is weak.)
I tried to verify the iso anyway and got the following output:

Verified 'debian-11.0.0-amd64-netinst.iso' with 'debian-11.0.0-amd64-netinst.iso.asc':
The data could not be verified.

Signature created on Saturday, August 14, 2021 4:22:04 PM
With unavailable certificate:
ID: 0xDA87E80D6294BE9B
You can search the certificate on a keyserver or import it from a file.

I then clicked "Search" to search the keyserver for the appropriate key. This failed.
I then googled and found the following website to search for the key. https://db.debian.org/
Searching for 0xDA87E80D6294BE9B, DA87E80D6294BE9B, or DA87 E80D 6294 BE9B did not return any results.

Please help me figure out how to identify who the developer who signed the Debian 11 iso is and how to locate their public key so I can verify my iso before I install it.
Thanks again in advance for the help.

greg9
Posts: 34
Joined: 2021-09-14 06:29
Has thanked: 6 times

Re: Issue finding pgp signing key for Debian 11

#2 Post by greg9 »

Hi
Let me offer a simple way (hopefully)
first go back to the original download site if you can remember it.
I do not know which one you used so give a mirror australian site as an example
http://debian.mirror.digitalpacific.com ... 64/iso-cd/

Look at the files at your original download site.
Download the one called SHA256SUMS which should be the same size as my example of 302 bytes.
Open it with a text editor, with luck it will show......and leave the text file open please.
ae6d563d2444665316901fe7091059ac34b8f67ba30f9159f7cef7d2fdc5bf8a debian-11.0.0-amd64-netinst.iso
But do not trust me....you must trust your original site OK.

Now on W10 use your file manager to navigate to the iso download.
Assuming you are Right handed RH click on that iso
Select Open command window here
W10 should have a built in command called CertUtil

so on W10 click the select all button and paste the following into that command box

Code: Select all

CertUtil -hashfile debian-11.0.0-amd64-netinst.iso SHA256 
With luck it will generate a hash value using SHA256 for that iso. You then compare it to your text editor open for the other downloads and it should match.

There are other ways of doing it.....but essentially if you went to a real debian site, and have truly downloaded a real debian iso.....this is a faster way to verify the download is correct.

Any change in the iso....generates a different hash value.

I cheated off a Linux Mint post but it info might mislead the poster

Good luck

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Issue finding pgp signing key for Debian 11

#3 Post by sunrat »

@greg9 PGP signing keys are not the same as sha256sums.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Issue finding pgp signing key for Debian 11

#4 Post by bw123 »

found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
resigned by AI ChatGPT

Aki
Global Moderator
Global Moderator
Posts: 2816
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 68 times
Been thanked: 382 times

Re: Issue finding pgp signing key for Debian 11

#5 Post by Aki »

bw123 wrote: 2021-09-17 10:45 found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
Just for the record (as reported by bw123):

Code: Select all

$ gpg --keyserver keyring.debian.org --recv-keys 0xDA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

greg9
Posts: 34
Joined: 2021-09-14 06:29
Has thanked: 6 times

Re: Issue finding pgp signing key for Debian 11

#6 Post by greg9 »

My reply was poorly worded. I assumed that OP was still on W10 and I am not sure how a W10 user uses gpg.
So I offered an easier method IMHO.

my 2 cents worth

Brutalation
Posts: 4
Joined: 2021-09-16 20:11
Has thanked: 4 times

Re: Issue finding pgp signing key for Debian 11

#7 Post by Brutalation »

bw123 wrote: 2021-09-17 10:45 found this at https://www.debian.org > download > ISO Verification Guide, hope it helps
https://www.debian.org/CD/verify
Thank you that was helpful. I imported the pub keys from the debian key server, however I'm still having issues when I verify the signature.
These are the keys I have on my keychain:

gpg --list-keys
/home/zen/.gnupg/pubring.kbx
----------------------------
pub rsa4096 2021-09-20 [SC] [expires: 2022-XX-XX]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid [ultimate] Redacted <redacted@redacted.com>
sub rsa4096 2021-09-20 [E] [expires: 2022-XX-XX]

pub rsa4096 2009-10-03 [SC]
10460DAD76165AD81FBC0CE9988021A964E6EA7D
uid [ unknown] Debian CD signing key <debian-cd@lists.debian.org>

pub rsa4096 2011-01-05 [SC]
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
uid [ unknown] Debian CD signing key <debian-cd@lists.debian.org>
sub rsa4096 2011-01-05 [E]

pub rsa4096 2014-04-15 [SC]
F41D30342F3546695F65C66942468F4009EA8AC3
uid [ unknown] Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>
sub rsa4096 2014-04-15 [E]


This is the output I'm gettting:

gpg --verify debian-11.0.0-amd64-netinst.iso.sig
gpg: assuming signed data in 'debian-11.0.0-amd64-netinst.iso'
gpg: Signature made Sat 14 Aug 2021 04:22:04 PM EDT
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]

This is the website I downloaded the iso from:
https://www.debian.org/download

These are the contents of debian-11.0.0-amd64-netinst.iso.sig:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE35ucSeqpKYQyWJ122ofoDWKUvpsFAmEYJewACgkQ2ofoDWKU
vpuQ+Q/6AjblKBldcrEt0m+7j5LF/bdqDz6OBcn5IjSIS+fQQMIbbDTA1XSWzxe6
vHtAHTlmKlMVyJq4bbk24Lv+ORnvmMyMQbyZgZLWuycJybM74F/L0q2lxo8zHzDZ
LZYeWkuFz1bZwDjU1aCN9JpyOLVvKV5FxK6PXcL8qY+GswQrbEBJ8ztd8GTf0CEv
7uFFiLriYYyjo9A/s2clg7Dq5prBjf7luGjpm/a68ExXPUMdNgg0nrMGFn0A+9gg
uS3Z+EcL7UaP+9NJ1wTm/cmXKPeHQPWJUq1RIBOVOJLvRAdqq1yL+lyevuUY9wo8
Uel9DS1HaxTCRjS3g2KcGmW1wfWHVK2K+UTb2vY4t/ePaDwNq8xch26jEcYtC0uM
QXqA5KTknK7/DUek5R3psI0ULE3NZiU7RshN5rJtoCLfTT3TPTc8ZPPLSoZmba8W
1Vu3gZqVfP/K+vDrEBGdXWuatoAfIlB//6UD/vSTE8Z/b3W1n1y/sL5nW5Y+U4TL
nQ5fOjlx25sZZ+bh4VViutFvM1XBxEbaO336tR6ESREsuOdcbjxxP+ghlVTm145T
pICDm7R/X/8wVKspfZpFQSU5m16eeJCwIB8r0gB6M04dfJODWlmCmPd5STnIVvOJ
wNtK+SnVymW8ClhHBo/iUgsNgAZPb4Wtpi57c1oD5NZot8dzlMU=
=Ojqd
-----END PGP SIGNATURE-----


Thanks again for the help.

P.S. I moved over from Win 10 and am now on Garuda Dragonized Linux.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Issue finding pgp signing key for Debian 11

#8 Post by sunrat »

I did this yesterday for the first time ever. I found the Debian wiki page to be a bit light on instructions but the procedure is trivially easy and described well on this page - How to Verify Authenticity of Linux Software with Digital Signatures
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

Aki
Global Moderator
Global Moderator
Posts: 2816
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 68 times
Been thanked: 382 times

Re: Issue finding pgp signing key for Debian 11

#9 Post by Aki »

Hello,
greg9 wrote: 2021-09-19 01:21 My reply was poorly worded. I assumed that OP was still on W10 and I am not sure how a W10 user uses gpg.
So I offered an easier method IMHO. my 2 cents worth
@greg9:
don't worry, your suggestion is usually the more common way to verify "on-the-fly" the integrity of a downloaded ISO (because Debian repositories are often considered "trusted by default"), but our OP wanted to verify the ISO integrity (using the hash sum), the signature of the verified ISO and the authenticity of used signing key, too. I agree with you that with Windows could be difficult to obtain "free" (as in freedom) binaries/programs from trusted sources as for Debian GNU/Linux. So, it's difficult to give a safe and simple advice.
Brutalation wrote: 2021-09-20 21:56 This is the output I'm gettting:

Code: Select all

gpg --verify debian-11.0.0-amd64-netinst.iso.sig
gpg: assuming signed data in 'debian-11.0.0-amd64-netinst.iso'
gpg: Signature made Sat 14 Aug 2021 04:22:04 PM EDT
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
@Brutalation: I obtain something different:

Code: Select all

$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.0.0-amd64-netinst.iso
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS.sign

$ gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Sat Aug 14 22:22:03 2021 CEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
So that, the signature is good, but the used keys seems not to be in a chain of trust (it's not signed by others). In your check you obtain "BAD signature" probably because you didn't import the signing key.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Brutalation
Posts: 4
Joined: 2021-09-16 20:11
Has thanked: 4 times

Re: Issue finding pgp signing key for Debian 11

#10 Post by Brutalation »

Aki wrote: 2021-09-21 05:43 I obtain something different:

Code: Select all

$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-11.0.0-amd64-netinst.iso
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA256SUMS
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/c

$ gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Sat Aug 14 22:22:03 2021 CEST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
So that, the signature is good, but the used keys seems not to be in a chain of trust (it's not signed by others). In your check you obtain "BAD signature" probably because you didn't import the signing key.
Ah. I see where I went wrong. I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine. Thanks so much for the help from everyone in hunting down the solution.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Issue finding pgp signing key for Debian 11

#11 Post by sunrat »

Brutalation wrote: 2021-09-21 14:47... I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine.
Hmmm, the file on the server is called "SHA256SUMS.sign" so did you rename it in the first place?
Good you worked it out eventually! :wink:
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

Brutalation
Posts: 4
Joined: 2021-09-16 20:11
Has thanked: 4 times

Re: Issue finding pgp signing key for Debian 11

#12 Post by Brutalation »

sunrat wrote: 2021-09-21 15:17
Brutalation wrote: 2021-09-21 14:47... I thought the signature provided was for the actual iso itself and not just for the sha hashes. Once I renamed the signature from "debian-11.0.0-amd64-netinst.iso.sig" to "SHA256SUMS.sign" it verifed just fine.
Hmmm, the file on the server is called "SHA256SUMS.sign" so did you rename it in the first place?
Good you worked it out eventually! :wink:
I actually copy/pasted the text from the webpage after I clicked on signature to a fresh txt file I named myself. I just assumed there were 2 forms of verification for the iso and not a checksums file and a signature for the check sums. In my defense it wasn't immediately clear that was the case on the webpage, but I feel dumb for not realizing this sooner.
debian checksums.PNG
debian checksums.PNG (50.18 KiB) Viewed 4222 times
I'm just glad I'm actually able to verify downloads properly moving forward.

Post Reply