Confusing "Verify your ISO image"

Vilsen · Post by **Vilsen** » Sat Sep 18, 2021 4:29 am

Totally confusing:

mate18@mate18-desktop ~/Skrivbord $ gpg --list-key --with-fingerprint A25BAE09
pub rsa4096 2016-06-07 [SC]
27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09
uid [ okänt ] Linux Mint ISO Signing Key <root@linuxmint.com>

pub rsa1024 2014-01-26



      1828 C98D 1C52 E20C 95DF  B632 6ABA 455A A25B AE09

uid           [    okänt    ] Totally Legit Signing Key <mallory@example.org>



mate18@mate18-desktop ~/Skrivbord $ gpg --verify sha256sum.txt.gpg sha256sum.txt

gpg: Signatur gjord tor 25 jun 2020 11:57:17 CEST

gpg:                med RSA-nyckeln 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

[size=150][b]gpg: Korrekt signatur från "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

gpg: WARNING: This key is not certified with a reliable signature!

gpg: There is no indication that the signature belongs to the owner.[/b][/size]

Primära nyckelns fingeravtryck: 27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09

mate18@mate18-desktop ~/Skrivbord $

t42 · Post by **t42** » Sat Sep 18, 2021 5:44 am

The line you should get if the signature verification is satisfying:
Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]
and ingore the rest.
if you want to get rid of warning lines (although there is no need in this) then
1. generate your own key-pair and sign LM key with your signature

Code: Select all

gpg --quick-generate-key vilsen@vilsen.net

2. sign (locally) LM key

Code: Select all

gpg --lsign-key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09

3. The output of gpg --verify sha256sum.txt.gpg sha256sum.txt will change to something like

Code: Select all

gpg: Signature made Thu 08 Jul 2021 01:06:26 PM EEST
gpg:                using RSA key 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-09-18
gpg: Good signature from "Linux Mint ISO Signing Key <root@linuxmint.com>" [full]

t42 · Post by **t42** » Sat Sep 18, 2021 5:57 am

mate18@mate18-desktop ~/Skrivbord $ gpg --list-key --with-fingerprint A25BAE09

Code: Select all

pub   rsa4096 2016-06-07 [SC]
      27DE B156 44C6 B3CF 3BD7  D291 300F 846B A25B AE09
uid           [    okänt    ] Linux Mint ISO Signing Key <root@linuxmint.com>

pub   rsa1024 2014-01-26 [C]
      1828 C98D 1C52 E20C 95DF  B632 6ABA 455A A25B AE09
uid           [    okänt    ] Totally Legit Signing Key <mallory@example.org>

This is a valid observation. If you're importing a key using last eight digits you may import wrong key.

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-keys A25BAE09
gpg: key 6ABA455AA25BAE09: public key "Totally Legit Signing Key <mallory@example.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

so you need to use full fingerprint while importing keys

Code: Select all

gpg --keyserver keyserver.ubuntu.com --recv-keys 27DEB15644C6B3CF3BD7D291300F846BA25BAE09
gpg: key 300F846BA25BAE09: public key "Linux Mint ISO Signing Key <root@linuxmint.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

and delete malicious key:

Code: Select all

gpg --delete-keys "1828 C98D 1C52 E20C 95DF  B632 6ABA 455A A25B AE09"
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub  rsa1024/6ABA455AA25BAE09 2014-01-26 Totally Legit Signing Key <mallory@example.org>
Delete this key from the keyring? (y/N) y

As I remember this short notation was used in LM online manualas an alternative [EDIT] and still is not corrected:
Verify your ISO image

More on that collision attack here: Flaws with short IDs

Vilsen · Post by **Vilsen** » Sun Sep 19, 2021 5:05 am

So what you are saying is that
all is "hunky-dory" then ?

I DID DO what was found here:

https://linuxmint-installation-guide.re ... erify.html

JoeFootball · Post by **JoeFootball** » Sun Sep 19, 2021 6:43 am

Vilsen wrote: gpg: Korrekt signatur från "Linux Mint ISO Signing Key <root@linuxmint.com>" [unknown]

You're good.

Edit:

Linux Mint Installation Guide wrote:GPG might warn you that the Linux Mint signature is not trusted by your computer. This is expected and perfectly normal.

mmm · Post by **mmm** » Tue Dec 14, 2021 8:04 am

I tend to use BitTorrent because I have read that checks are then done automatically.
Can someone confirm or deny this?

t42 · Post by **t42** » Tue Dec 14, 2021 10:11 am

mmm wrote: ⤴Tue Dec 14, 2021 8:04 am I tend to use BitTorrent because I have read that checks are then done automatically.

The downloaded by torrent protocol files are verified using a checksums of chunks which are stored in the .torrent file. This ensures that there are no corruption during download. Still you can't verify in such way the integrity of the source. That can be done only verifying the signature of signed data and use signed checksums for ISO verification.

Linux Mint Forums

Confusing "Verify your ISO image"

Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"

Re: Confusing "Verify your ISO image"