this is a job for GPG2 -- and I'm delighted to see the MINT Community embracing this method;
Today, I decided to download a fresh copy of the LMDE2 MINT Cinnamon 64 for the box I'm re-building for my brother; For this I went to our normal download site -- https://www.linuxmint.com/edition.php?id=186?id=186 and selected James Madison Univ. mirror;
and this was all well and good except that, in addition to the .iso -- i needed the sha256sums.txt and the corresponding GPG Signature: sha256sums.txt.gpg
it wasn't immediately apparent where this additional data might be found, but, by right clicking on the download link i was able to obtain the following
Code: Select all
http://mirror.jmu.edu/pub/linuxmint/images//debian/lmde-2-201503-cinnamon-64bit.iso
Code: Select all
http://mirror.jmu.edu/pub/linuxmint/images/debian/
Code: Select all
Index of /pub/linuxmint/images/debian/
../
lmde-2-201503-cinnamon-32bit.iso 06-Apr-2015 12:07 1G
lmde-2-201503-cinnamon-64bit.iso 06-Apr-2015 09:21 1G
lmde-2-201503-mate-32bit.iso 06-Apr-2015 17:19 1G
lmde-2-201503-mate-64bit.iso 06-Apr-2015 10:39 1G
md5sum.txt 14-Nov-2015 15:32 260
sha256sum.txt 07-Apr-2015 14:27 2493
sha256sum.txt.gpg 07-Apr-2015 14:34 198
too, i was able to obtain sha256sum.txt.gpg -- the GPG2 detached signature for sha256sum.txt
Now: in order to be satisfied that I have the correct checksums I need to verify the GPG Signature
Code: Select all
gpg2 --verify sha256sum.txt.gpg sha256sum.txt
Code: Select all
gpg2 --verify sha256sums.txt.gpg sha256sums.txt
gpg: Signature made Tue 07 Apr 2015 10:19:15 AM EDT using DSA key ID 0FF405B2
gpg: Can't check signature: No public key
On a hunch I submitted a request to receive the key:
Code: Select all
gpg2 --keyserver keyserver.ubuntu.com --recv-key "0FF405B2"
gpg: requesting key 0FF405B2 from hkp server keyserver.ubuntu.com
gpg: key 0FF405B2: public key "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 4 signed: 1 trust: 1-, 0q, 1n, 0m, 2f, 0u
gpg: depth: 2 valid: 1 signed: 0 trust: 0-, 0q, 1n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-04-07
gpg: Total number processed: 1
gpg: imported: 1
Code: Select all
gpg2 --verify sha256sums.txt.gpg sha256sums.txt
gpg: Signature made Tue 07 Apr 2015 10:19:15 AM EDT using DSA key ID 0FF405B2
gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2
Now, If I were a Betting Man ( I'm not, as a matter of habit ) -- I'd offer a small wager that this is in fact Clem's key. But,-- as the Army teaches everyone:There is no indication that the signature belongs to the owner.
What's the bet here?Hope is not a method.
the integrity of the OS itself; we cannot take any chances.
What's needed: a second source.
Note: the download site -- JMU -- offers an MD5 checksum. The problem with that is not that some clowns might manage to generate a collision on the MD5 checksum -- but rather that they wouldn't need to: if I download the .iso and the MD5 from the SAME source -- there is no verification: X is always = to X: of course they will give me the MD5 for the .iso they offer;
The GPG signed sha256sum.txt record solves that as it allows me to authenticate the sha256sum.txt file using GPG! YEA! A huge step in the Right Direction. all that's left it to set up a way by which I can validate Clem's signature; as soon as we have that, I'll sign Clem's signature and be happy!
the Web of Trust model defined by the authors of GPG(PGP) calls for a "3d party introducer"; and this is where I'm stuck we need a way to do that.
I'm pretty happy downloading Clem's key from the UBUNTU keyserver, BUT: how did I get his key ID? From the signature on the sha256sum.txt.gpg file -- that I downloaded from JMU !
again: in this case: X = X;
if i do a list-sigs on Clem's key:
Code: Select all
gpg2 --list-sigs 0FF405B2
pub 1024D/0FF405B2 2009-04-29
uid [ unknown] Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sig D068D42F 2014-12-08 [User ID not found]
sig 3 0FF405B2 2009-04-29 Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sig 3B7F81DA 2016-02-16 [User ID not found]
sig AD11CBEE 2010-03-17 [User ID not found]
sig B8F07507 2014-03-16 [User ID not found]
sig 8D37FDE9 2016-07-14 Steven Hancock <stevenh512@gmail.com>
sig FF32E0EE 2016-03-14 [User ID not found]
sig 212D41B3 2016-06-10 Carlos Castillo <ccastilloc@openmailbox.org>
sig 2 6367008F 2016-04-07 [User ID not found]
sig 3 02AABD91 2016-03-14 [User ID not found]
sub 2048g/0F346519 2009-04-29
sig 0FF405B2 2009-04-29 Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
two of the signatures are known individuals who signed also the "Linux MINT ISO Signing key" earlier:
Code: Select all
gpg2 --list-sigs mint
pub 4096R/A25BAE09 2016-06-07
uid [ unknown] Linux Mint ISO Signing Key <root@linuxmint.com>
sig 0AE6924E 2016-07-25 Joakim Nilsson <hattmannen@dopplerproductions.se>
sig 2 2AAA5C3B 2016-06-16 Gary de Montigny (2013) <gary@demontigny.net>
sig 8A4811D5 2016-07-18 Yuri Ian Burkinshaw <ybkshaw@ybkshaw.com>
sig 8D37FDE9 2016-07-14 Steven Hancock <stevenh512@gmail.com>
sig 5CD5FDBF 2016-06-11 Summersleeps (This is my current key as of Y2016M6D10.)
sig 8DD5B9C2 2016-06-12 Summersleeps (My current key as of Y2016M6D12.)
sig 212D41B3 2016-06-10 Carlos Castillo <ccastilloc@openmailbox.org>
sig 952C9360 2016-07-07 Kevin Walsh <kevin@cursor.biz>
sig 3 A25BAE09 2016-06-07 Linux Mint ISO Signing Key <root@linuxmint.com>
Comments/Thoughts?