How to verify .iso gpg signatures

Subject: How to verify .iso gpg signatures Tue Oct 23, 2012 6:43 pm

1.Download both the .iso and the gpg signature, which is an ascii
file. Also make note of what the signature should be. For this
example: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284.

laz@linux-zl0u:~> cd Downloads
laz@linux-zl0u:~/Downloads> ls

openSUSE-12.2-GNOME-LiveCD-x86_64.iso
openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc

2. Verify validity. Note: .asc file is first.

laz@linux-zl0u:~/Downloads> gpg -v --verify openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc openSUSE-12.2-GNOME-LiveCD-x86_64.iso

Version: GnuPG v1.0.7 (GNU/Linux)
gpg: armor header:
gpg: Signature made Thu 30 Aug 2012 03:11:40 AM PDT using RSA key ID 3DBDC284
gpg: Can't check signature: No public key

3. If no public key is found, it needs to be downloaded using the RSA key ID provided in step 2.

laz@linux-zl0u:~/Downloads> gpg --recv-key 3DBDC28

gpg: requesting key 3DBDC284 from hkp server keys.gnupg.net
gpg: /home/laszlo/.gnupg/trustdb.gpg: trustdb created
gpg: key 3DBDC284: public key "openSUSE Project Signing Key <opensuse@opensuse.org>" imported
gpg: no ultimately trusted keys found <---- See note a.
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

4.Verify the downloaded public key:

laz@linux-zl0u:~/Downloads> gpg --fingerprint
/home/laz/.gnupg/pubring.gpg
-------------------------------
pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
Key fingerprint = 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
uid openSUSE Project Signing Key <opensuse@opensuse.org>

The fingerprint matches the published value.

5. Repeat step 2

laz@linux-zl0u:~/Downloads> gpg -v --verify openSUSE-12.2-GNOME-LiveCD-x86_64.iso.asc openSUSE-12.2-GNOME-LiveCD-x86_64.iso
Version: GnuPG v1.0.7 (GNU/Linux)
gpg: armor header:
gpg: Signature made Thu 30 Aug 2012 03:11:40 AM PDT using RSA key ID 3DBDC284
gpg: using PGP trust model
gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
gpg: binary signature, digest algorithm SHA256

Notes: a. It is ironic that this warning may be ignored considering that the
key is used to check security. Apperently it could be avoided by
housing the signed public key on the SUSE server.
Fedora does this with their keys.

b. The “Good signature” statement indicates a match between the
key, and the iso.

Subject: Re: How to verify .iso gpg signatures Wed Oct 24, 2012 1:03 am

Thank you, Laz, very clear step-by-step instructions. This should come in handy.

clown

Subject: Re: How to verify .iso gpg signatures Wed Oct 24, 2012 10:36 pm

Looks like we have the makings of a gpg key guru.

Subject: Re: How to verify .iso gpg signatures Thu Oct 25, 2012 4:35 pm

Thank you for the kind words, largely undeserved. I am barely scratching at the basics of gpg. Since I have no need for encrypted correspondance, I'll go no further.

Subject: Re: How to verify .iso gpg signatures Thu Oct 25, 2012 6:31 pm

Laz wrote:: Thank you for the kind words, largely undeserved. I am barely scratching at the basics of gpg. Since I have no need for encrypted correspondance, I'll go no further.

That's the same reason I never looked into it.