i tried to install linux 32bit from the german sources
fh-aachen and than from another source the uni esslingen.
Both times the shasum test result was it is not trustable:
volker@8560p ~/Dokumente/pc/ISO $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Unterschrift vom Fr 10 Mär 2017 20:36:25 CET mittels RSA-Schlüssel ID A25BAE09
gpg: Korrekte Unterschrift von "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
did i something wrong?
here is what i done:
---------------------------------------------------------------------------
Prüfung der Installationsdatei für LINUX LMDE2 cinnamon 32-bit
heruntergeladen von FH Aachen 26.11.17 13.40Uhr
Ergebnis "keine vertrauenswürdige Signatur"!
Prüfung
Vorgabe:
2acd4222bff067e4c5ab727e50ad8ceb0aaf278449e34b4b3fa342dca181411f *lmde-2-201701-cinnamon-32bit.iso
Ausgabe:
2acd4222bff067e4c5ab727e50ad8ceb0aaf278449e34b4b3fa342dca181411f
Vorgabe:
Check the output of the last command, to make sure the fingerprint is 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09.
Ausgabe:
Schl.-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
Vorgabe:
gpg --verify sha256sum.txt.gpg sha256sum.txt
The output of the last command should tell you that the file signature is 'good' and that it was signed with the following key: A25BAE09.
Ausgabe:
gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: Unterschrift vom Fr 10 Mär 2017 20:36:25 CET mittels RSA-Schlüssel ID A25BAE09
gpg: Korrekte Unterschrift von "Linux Mint ISO Signing Key <root@linuxmint.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
installation-file lmde2 GPG-signature not trustable?
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
installation-file lmde2 GPG-signature not trustable?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: installation-file lmde2 GPG-signature not trustable?
In short: If the fingerprint matches with the published value, all is good.
I wrote some time ago a little technical explanation, why the warning about the missing trusted signature comes up. It might help you to understand, what is going on - and that the download after verifying the fingerprint of the gpg-key is perfectly trustful.
I wrote some time ago a little technical explanation, why the warning about the missing trusted signature comes up. It might help you to understand, what is going on - and that the download after verifying the fingerprint of the gpg-key is perfectly trustful.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: installation-file lmde2 GPG-signature not trustable?
interesting discussion
one of the things a hacker would have to do is to get every copy of our Signing Key.
with this in mind, I'll display my copy of the fingerprint for the Mint Sigining Key
this offers a small -- but not insignificant -- assurance that you have the right key for Mint ISO Signing.
when you are satisfied that you have the correct key go ahead and sign it, with your own key. this will clear the warning message for you. remember: when you sign the key it becomes _valid_. this means you're satisfied you have the right key. you don't assign trust to it -- that is used to authorize the key to help validate other keys for you.
one of the things a hacker would have to do is to get every copy of our Signing Key.
with this in mind, I'll display my copy of the fingerprint for the Mint Sigining Key
Code: Select all
$ gpg2 --fingerprint "Linux Mint ISO"
pub 4096R/A25BAE09 2016-06-07
Key fingerprint = 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
uid [ full ] Linux Mint ISO Signing Key <root@linuxmint.com>
when you are satisfied that you have the correct key go ahead and sign it, with your own key. this will clear the warning message for you. remember: when you sign the key it becomes _valid_. this means you're satisfied you have the right key. you don't assign trust to it -- that is used to authorize the key to help validate other keys for you.
¡Viva la Resistencia!
Re: installation-file lmde2 GPG-signature not trustable?
If you mean the private key (this is actully the only key that can be used for signing): There should exist only one and this has to be kept exclusively in the ownership of its creator - Clem in this case.mike acker wrote:one of the things a hacker would have to do is to get every copy of our Signing Key.
If you mean the public key: Public keys are meant to get distributed. They cannot get used for signing anything, only for verifying a signature. Besides that: If an attacker has one copy, he has actually all, except that the key had been updated by its owner, but the update had not been uploaded to all key-servers. Besides that exception all keys are identical. - So downloading a published public key does not give an advantage for an attacker. He could of course try to upload a faked key instead, but that is exactly the point, where the check for the fingerprint gets its meaning, because a faked key can never have the same fingerprint as the original key. If this would not be the case, gpg would be broken, but this is until now not possible.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: installation-file lmde2 GPG-signature not trustable?
if i remember rightly, a while back attackers managed to update our download source links page, re-directing the downloads to a rogue site. in doing this they provided a bogus hash and signature to matchCosmo. wrote:If you mean the private key (this is actully the only key that can be used for signing): There should exist only one and this has to be kept exclusively in the ownership of its creator - Clem in this case.mike acker wrote:one of the things a hacker would have to do is to get every copy of our Signing Key.
{ /snip }
nothing prevents me from generating a key -- and claiming to be (e.g.) R.M.Nixon -- or Clem -- for that matter.
the safety is that I am satisfied that I have a correct copy of our MINT ISO signing key -- as I've checked the fingerprint on more than one occasion over time. based on this I've signed my copy of the key. as a result, I do not get the warning from PGP when I verify the signature
however: if some attacker tried again, like they did before -- to create their own iso, and generate a hash for it -- and sign it with a key claiming to the be Mint signing key -- then I'll get a PGP warning when I try to check the key. note: it is critical that I'm not getting all my info from one source. if I get the hash, and the signature, and the key fingerprint -- all from one source -- I'm just checking to see if ( x == x ).
¡Viva la Resistencia!
Re: installation-file lmde2 GPG-signature not trustable?
Surely such an attack is possible; I wrote this already 1 week ago. I said there also, why today a successful would be much harder to do than in the situation 2 years ago.
Later I published in the same thread a suggestion, which would also block this attack vector. Once a user has ensured, that he has an authentic Mint system, he can with the described technique verify the authenticity of a Mint iso download with the ke, which every Mint has on board (and this much more easy). With tthis the described scenario would not work for an attacker - at least not for users, who have already Mint, possibly also for users of other Linux distros.
Later I published in the same thread a suggestion, which would also block this attack vector. Once a user has ensured, that he has an authentic Mint system, he can with the described technique verify the authenticity of a Mint iso download with the ke, which every Mint has on board (and this much more easy). With tthis the described scenario would not work for an attacker - at least not for users, who have already Mint, possibly also for users of other Linux distros.
-
- Level 7
- Posts: 1517
- Joined: Wed Jul 31, 2013 6:29 pm
- Location: Kalamazoo, MI
Re: installation-file lmde2 GPG-signature not trustable?
thanks!! I'll have fun learning this!Cosmo. wrote:Surely such an attack is possible; I wrote this already 1 week ago. I said there also, why today a successful would be much harder to do than in the situation 2 years ago.
Later I published in the same thread a suggestion, which would also block this attack vector. Once a user has ensured, that he has an authentic Mint system, he can with the described technique verify the authenticity of a Mint iso download with the ke, which every Mint has on board (and this much more easy). With tthis the described scenario would not work for an attacker - at least not for users, who have already Mint, possibly also for users of other Linux distros.
from your reference:
yep! that would do it!!That means, that the needed gpg-key is already on board.
¡Viva la Resistencia!