installation-file lmde2 GPG-signature not trustable?

Questions about Grub, the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
volker
Level 1
Level 1
Posts: 1
Joined: Sun Nov 26, 2017 9:08 am

installation-file lmde2 GPG-signature not trustable?

Post by volker » Sun Nov 26, 2017 9:25 am

i tried to install linux 32bit from the german sources
fh-aachen and than from another source the uni esslingen.
Both times the shasum test result was it is not trustable:

volker@8560p ~/Dokumente/pc/ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Unterschrift vom Fr 10 Mär 2017 20:36:25 CET mittels RSA-Schlüssel ID A25BAE09
gpg: Korrekte Unterschrift von "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09



did i something wrong?
here is what i done:
---------------------------------------------------------------------------


Prüfung der Installationsdatei für LINUX LMDE2 cinnamon 32-bit
heruntergeladen von FH Aachen 26.11.17 13.40Uhr
Ergebnis "keine vertrauenswürdige Signatur"!




Prüfung


Vorgabe:

2acd4222bff067e4c5ab727e50ad8ceb0aaf278449e34b4b3fa342dca181411f *lmde-2-201701-cinnamon-32bit.iso

Ausgabe:

2acd4222bff067e4c5ab727e50ad8ceb0aaf278449e34b4b3fa342dca181411f


Vorgabe:
Check the output of the last command, to make sure the fingerprint is 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09.

Ausgabe:
Schl.-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09


Vorgabe:
gpg --verify sha256sum.txt.gpg sha256sum.txt

The output of the last command should tell you that the file signature is 'good' and that it was signed with the following key: A25BAE09.

Ausgabe:
gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Unterschrift vom Fr 10 Mär 2017 20:36:25 CET mittels RSA-Schlüssel ID A25BAE09
gpg: Korrekte Unterschrift von "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: installation-file lmde2 GPG-signature not trustable?

Post by Cosmo. » Sun Nov 26, 2017 5:27 pm

In short: If the fingerprint matches with the published value, all is good.

I wrote some time ago a little technical explanation, why the warning about the missing trusted signature comes up. It might help you to understand, what is going on - and that the download after verifying the fingerprint of the gpg-key is perfectly trustful.

mike acker
Level 6
Level 6
Posts: 1406
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: installation-file lmde2 GPG-signature not trustable?

Post by mike acker » Thu Dec 21, 2017 9:13 am

interesting discussion

one of the things a hacker would have to do is to get every copy of our Signing Key.

with this in mind, I'll display my copy of the fingerprint for the Mint Sigining Key

Code: Select all

$ gpg2 --fingerprint "Linux Mint ISO"
pub   4096R/A25BAE09 2016-06-07
      Key fingerprint = 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
uid       [  full  ] Linux Mint ISO Signing Key <root@linuxmint.com>

this offers a small -- but not insignificant -- assurance that you have the right key for Mint ISO Signing.

when you are satisfied that you have the correct key go ahead and sign it, with your own key. this will clear the warning message for you. remember: when you sign the key it becomes _valid_. this means you're satisfied you have the right key. you don't assign trust to it -- that is used to authorize the key to help validate other keys for you.
¡Viva la Resistencia!

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: installation-file lmde2 GPG-signature not trustable?

Post by Cosmo. » Thu Dec 21, 2017 9:49 am

mike acker wrote:one of the things a hacker would have to do is to get every copy of our Signing Key.
If you mean the private key (this is actully the only key that can be used for signing): There should exist only one and this has to be kept exclusively in the ownership of its creator - Clem in this case.

If you mean the public key: Public keys are meant to get distributed. They cannot get used for signing anything, only for verifying a signature. Besides that: If an attacker has one copy, he has actually all, except that the key had been updated by its owner, but the update had not been uploaded to all key-servers. Besides that exception all keys are identical. - So downloading a published public key does not give an advantage for an attacker. He could of course try to upload a faked key instead, but that is exactly the point, where the check for the fingerprint gets its meaning, because a faked key can never have the same fingerprint as the original key. If this would not be the case, gpg would be broken, but this is until now not possible.

mike acker
Level 6
Level 6
Posts: 1406
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: installation-file lmde2 GPG-signature not trustable?

Post by mike acker » Thu Dec 21, 2017 3:47 pm

Cosmo. wrote:
mike acker wrote:one of the things a hacker would have to do is to get every copy of our Signing Key.
If you mean the private key (this is actully the only key that can be used for signing): There should exist only one and this has to be kept exclusively in the ownership of its creator - Clem in this case.
{ /snip }
if i remember rightly, a while back attackers managed to update our download source links page, re-directing the downloads to a rogue site. in doing this they provided a bogus hash and signature to match

nothing prevents me from generating a key -- and claiming to be (e.g.) R.M.Nixon -- or Clem -- for that matter.

the safety is that I am satisfied that I have a correct copy of our MINT ISO signing key -- as I've checked the fingerprint on more than one occasion over time. based on this I've signed my copy of the key. as a result, I do not get the warning from PGP when I verify the signature

however: if some attacker tried again, like they did before -- to create their own iso, and generate a hash for it -- and sign it with a key claiming to the be Mint signing key -- then I'll get a PGP warning when I try to check the key. note: it is critical that I'm not getting all my info from one source. if I get the hash, and the signature, and the key fingerprint -- all from one source -- I'm just checking to see if ( x == x ).
¡Viva la Resistencia!

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: installation-file lmde2 GPG-signature not trustable?

Post by Cosmo. » Thu Dec 21, 2017 4:44 pm

Surely such an attack is possible; I wrote this already 1 week ago. I said there also, why today a successful would be much harder to do than in the situation 2 years ago.

Later I published in the same thread a suggestion, which would also block this attack vector. Once a user has ensured, that he has an authentic Mint system, he can with the described technique verify the authenticity of a Mint iso download with the ke, which every Mint has on board (and this much more easy). With tthis the described scenario would not work for an attacker - at least not for users, who have already Mint, possibly also for users of other Linux distros.

mike acker
Level 6
Level 6
Posts: 1406
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: installation-file lmde2 GPG-signature not trustable?

Post by mike acker » Thu Dec 21, 2017 6:28 pm

Cosmo. wrote:Surely such an attack is possible; I wrote this already 1 week ago. I said there also, why today a successful would be much harder to do than in the situation 2 years ago.

Later I published in the same thread a suggestion, which would also block this attack vector. Once a user has ensured, that he has an authentic Mint system, he can with the described technique verify the authenticity of a Mint iso download with the ke, which every Mint has on board (and this much more easy). With tthis the described scenario would not work for an attacker - at least not for users, who have already Mint, possibly also for users of other Linux distros.
thanks!! I'll have fun learning this!

from your reference:
That means, that the needed gpg-key is already on board.
yep! that would do it!!
¡Viva la Resistencia!

Post Reply

Return to “Installation & Boot”