HomeHome  PortalPortal  FAQFAQ  SearchSearch  RegisterRegister  Log in  

Share | 
 

 How to verify .iso gpg signatures

View previous topic View next topic Go down 
AuthorMessage
Laz
Gecko
avatar

Posts : 201
Join date : 2012-06-13
Location : Delta BC

PostSubject: How to verify .iso gpg signatures   Tue Oct 23, 2012 6:43 pm

1.Download both the .iso and the gpg signature, which is an ascii
file. Also make note of what the signature should be. For this
example: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284.

laz@linux-zl0u:~> cd Downloads
laz@linux-zl0u:~/Downloads> ls

openSUSE-12.2-GNOME-LiveCD-x86_64.iso
openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc

2. Verify validity. Note: .asc file is first.

laz@linux-zl0u:~/Downloads> gpg -v --verify openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc openSUSE-12.2-GNOME-LiveCD-x86_64.iso

Version: GnuPG v1.0.7 (GNU/Linux)
gpg: armor header:
gpg: Signature made Thu 30 Aug 2012 03:11:40 AM PDT using RSA key ID 3DBDC284
gpg: Can't check signature: No public key

3. If no public key is found, it needs to be downloaded using the RSA key ID provided in step 2.

laz@linux-zl0u:~/Downloads> gpg --recv-key 3DBDC28


gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: /home/laszlo/.gnupg/trustdb.gpg: trustdb created
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: no ultimately trusted keys found <---- See note a.
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

4.Verify the downloaded public key:

laz@linux-zl0u:~/Downloads> gpg --fingerprint
/home/laz/.gnupg/pubring.gpg
-------------------------------
pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
uid openSUSE Project Signing Key <opensuse@opensuse.org>

The fingerprint matches the published value.

5. Repeat step 2

laz@linux-zl0u:~/Downloads> gpg -v --verify openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc openSUSE-12.2-GNOME-LiveCD-x86_64.iso
Version: GnuPG v1.0.7 (GNU/Linux)
gpg: armor header:
gpg: Signature made Thu 30 Aug 2012 03:11:40 AM PDT using RSA key ID 3DBDC284
gpg: using PGP trust model
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
gpg: binary signature, digest algorithm SHA256

Notes: a. It is ironic that this warning may be ignored considering that the
key is used to check security. Apperently it could be avoided by
housing the signed public key on the SUSE server.
Fedora does this with their keys.

b. The “Good signature” statement indicates a match between the
key, and the iso.

Back to top Go down
bozo
Admin
avatar

Posts : 402
Join date : 2010-02-23
Location : Way out in the sticks in the Gold Country of California

PostSubject: Re: How to verify .iso gpg signatures   Wed Oct 24, 2012 1:03 am

Thank you, Laz, very clear step-by-step instructions. This should come in handy.

clown

_________________
"The trouble with quotes on the internet is that you never know if they are genuine." - Abraham Lincoln
Back to top Go down
bdquick
Admin
avatar

Posts : 583
Join date : 2010-02-22
Age : 38
Location : Central Iowa

PostSubject: Re: How to verify .iso gpg signatures   Wed Oct 24, 2012 10:36 pm

Looks like we have the makings of a gpg key guru.

_________________
I'm here where ever here is.
Back to top Go down
Laz
Gecko
avatar

Posts : 201
Join date : 2012-06-13
Location : Delta BC

PostSubject: Re: How to verify .iso gpg signatures   Thu Oct 25, 2012 4:35 pm

Thank you for the kind words, largely undeserved. I am barely scratching at the basics of gpg. Since I have no need for encrypted correspondance, I'll go no further.
Back to top Go down
bdquick
Admin
avatar

Posts : 583
Join date : 2010-02-22
Age : 38
Location : Central Iowa

PostSubject: Re: How to verify .iso gpg signatures   Thu Oct 25, 2012 6:31 pm

Laz wrote:
Thank you for the kind words, largely undeserved. I am barely scratching at the basics of gpg. Since I have no need for encrypted correspondance, I'll go no further.

That's the same reason I never looked into it.

_________________
I'm here where ever here is.
Back to top Go down
Sponsored content




PostSubject: Re: How to verify .iso gpg signatures   

Back to top Go down
 
How to verify .iso gpg signatures
View previous topic View next topic Back to top 
Page 1 of 1
 Similar topics
-
» How to verify all element present in application.
» verify maximum length for a field using selenium IDE
» How to verify the graph?
» How to verify the url displayed after click the links is correct (Selenium RC and Webdriver)?
» verify the page content in pop up window

Permissions in this forum:You cannot reply to topics in this forum
SUSEUnbound :: Extended Documents and How-tos :: How-tos-
Jump to: