Re: [gentoo-user] ISO verification question.

2020-12-24 Thread David Haller 
Hello,

On Thu, 24 Dec 2020, bobwxc wrote:
>With the cryptographic signature validated, next verify the checksum to make
>sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile contains
>multiple hashing algorithms, so one of the methods to validate the right one
>is to first look at the checksum registered in the.DIGESTS.ascfile. For
>instance, to get the SHA512 checksum:
>
>|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|
[..]
>As both checksums match, the file is not corrupted and the installation can
>continue.

It's easier not to compare manually:

$ grep -A1 SHA512 install-iso.DIGESTS | sha512sum -c -

Analog for whirlpool:

$ grep -A1 WHIRLPOOL install-iso.DIGESTS | whirlpool-hash -c -

HTH,
-dnh

-- 
To resist the influence of others, knowledge of one's self is
most important.   -- Teal'C, Stargate SG-1, 9x14 - Stronghold

Re: [gentoo-user] ISO verification question.

2020-12-24 Thread Michael 
On Thursday, 24 December 2020 02:29:51 GMT Γιώργος Κωστόπουλος wrote:

> THANKS Michael for your help!!!
> 
> What confused me, was the "failed" results and the warnings of the
> sha512sum  command.
> 
> THANKS AGAIN for the clarification!!!  :-)
> G.

You're welcome.

The command 'sha512sum -c' you ran succeeded in checking any sha512 hashes in 
the file and reported "OK".  I just had a look at the contents of this file. 
The other lines, for which the sha512 check reports a "FAILED" warning use the 
whirlpool hash.  To check the whirlpool hashes of the files you can run:

whirlpool-hash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

The lines containing the sha512 hashes will now show "FAILED".  If you want to 
check all hashes in one go, you can use the rhash (Recursive  Hasher) command:

rhash -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] ISO verification question.

2020-12-23 Thread bobwxc 

在 2020/12/24 上午10:29, Γιώργος Κωστόπουλος 写道:

Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
 έγραψε:

Hi Γιώργος,

On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:

Hi!  :-)

I just downloaded the minimal installation ISO and I was trying the
verification instructions.
I admit that I'm not any kind of gpg expert, so the results are
somewhat confusing to me.
Can someone shed some light on them?

Here's console's output:

gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

gpg: Signature made Tue Dec 22 17:01:06 2020 EET
gpg:using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated
Weekly Release Key) " [unknown]

This is telling you the 'install-amd64-
minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
various files listed in it, has a valid signature - i.e. the hashes of these
files have not been tampered with and they have been signed by the owner of
the Gentoo Release Engineering key.

Have a look here for the published developer keys:

https://wiki.gentoo.org/wiki/Project:RelEng



gpg: WARNING: This key is not certified with a trusted signature!

This is telling you the above public key has not been marked as trusted in
your own gpg keyring.



gpg:  There is no indication that the signature belongs to the
owner.

This is to be expected, unless you have checked the fingerprint of the
imported key yourself against the keys published in the URL I provided above
and thereafter edited the key's level of trust to mark it as trusted in your
gpg keyring;  e.g. you'd need to run:

gpg --edit-key 

and follow the options available for this gpg subcommand to edit the key's
trust level.  This is not necessary for a key you'll only use once, as long as
you satisfy yourself the key fingerprint below matches what is published on
the RelEng project page.



Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
043D gpg: WARNING: not a detached signature; file
'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!

and:

sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc

install-amd64-minimal-20201222T005811Z.iso: OK
install-amd64-minimal-20201222T005811Z.iso: FAILED
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
sha512sum: WARNING: 14 lines are improperly formatted
sha512sum: WARNING: 2 computed checksums did NOT match


TIA!  :-)
Giorgos.
.

So the above output checked the sha512 hashes of all listed files and found
some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
for your installation.  The failed checks above refer to a different hash e.g.
sha256.

HTH.

THANKS Michael for your help!!!

What confused me, was the "failed" results and the warnings of the
sha512sum  command.

THANKS AGAIN for the clarification!!!  :-)
G.

The handbook said,

With the cryptographic signature validated, next verify the checksum to 
make sure the downloaded ISO file is not corrupted. The.DIGESTS.ascfile 
contains multiple hashing algorithms, so one of the methods to validate 
the right one is to first look at the checksum registered in 
the.DIGESTS.ascfile. For instance, to get the SHA512 checksum:


|user $||grep -A 1 -i sha512 install-amd64-minimal-20141204.iso.DIGESTS.asc|

# SHA512 HASH
364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024
  install-amd64-minimal-20141204.iso
--
# SHA512 HASH
0719a8954dc7432750de2e3076c8b843a2c79f5e60defe43fcca8c32ab26681dfb9898b102e211174a895ff4c8c41ddd9e9a00ad6434d36c68d74bd02f19b57f
  install-amd64-minimal-20141204.iso.CONTENTS

In the above output, two SHA512 checksums are shown - one for 
theinstall-amd64-minimal-20141204.isofile and one for its 
accompanying.CONTENTSfile. Only the first checksum is of interest, as it 
needs to be compared with the calculated SHA512 checksum which can be 
generated as follows:


|user $||sha512sum install-amd64-minimal-20141204.iso|

364d32c4f8420605f8a9fa3a0fc55864d5b0d1af11aa62b7a4d4699a427e5144b2d918225dfb7c5dec8d3f0fe2cddb7cc306da6f0cef4f01abec33eec74f3024
  install-amd64-minimal-20141204.iso

As both checksums match, the file is not corrupted and the installation 
can continue.



you just missed to grep sha512 hash from the file :-)
so get some results of un-related lines.

--
bobwxc




OpenPGP_signature
Description: OpenPGP digital signature

Re: [gentoo-user] ISO verification question.

2020-12-23 Thread Γιώργος Κωστόπουλος 
Στις Πέμ, 24 Δεκ 2020 στις 2:34 π.μ., ο/η Michael
 έγραψε:
>
> Hi Γιώργος,
>
> On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> > Hi!  :-)
> >
> > I just downloaded the minimal installation ISO and I was trying the
> > verification instructions.
> > I admit that I'm not any kind of gpg expert, so the results are
> > somewhat confusing to me.
> > Can someone shed some light on them?
> >
> > Here's console's output:
> > >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> > gpg:using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> > gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> > Weekly Release Key) " [unknown]
>
> This is telling you the 'install-amd64-
> minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the
> various files listed in it, has a valid signature - i.e. the hashes of these
> files have not been tampered with and they have been signed by the owner of
> the Gentoo Release Engineering key.
>
> Have a look here for the published developer keys:
>
> https://wiki.gentoo.org/wiki/Project:RelEng
>
>
> > gpg: WARNING: This key is not certified with a trusted signature!
>
> This is telling you the above public key has not been marked as trusted in
> your own gpg keyring.
>
>
> > gpg:  There is no indication that the signature belongs to the
> > owner.
>
> This is to be expected, unless you have checked the fingerprint of the
> imported key yourself against the keys published in the URL I provided above
> and thereafter edited the key's level of trust to mark it as trusted in your
> gpg keyring;  e.g. you'd need to run:
>
> gpg --edit-key 
>
> and follow the options available for this gpg subcommand to edit the key's
> trust level.  This is not necessary for a key you'll only use once, as long as
> you satisfy yourself the key fingerprint below matches what is published on
> the RelEng project page.
>
>
> > Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> > 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> > 043D gpg: WARNING: not a detached signature; file
> > 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> >
> > and:
> > >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> >
> > install-amd64-minimal-20201222T005811Z.iso: OK
> > install-amd64-minimal-20201222T005811Z.iso: FAILED
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> > install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> > sha512sum: WARNING: 14 lines are improperly formatted
> > sha512sum: WARNING: 2 computed checksums did NOT match
> >
> >
> > TIA!  :-)
> > Giorgos.
> > .
>
> So the above output checked the sha512 hashes of all listed files and found
> some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso'
> for your installation.  The failed checks above refer to a different hash e.g.
> sha256.
>
> HTH.

THANKS Michael for your help!!!

What confused me, was the "failed" results and the warnings of the
sha512sum  command.

THANKS AGAIN for the clarification!!!  :-)
G.

Re: [gentoo-user] ISO verification question.

2020-12-23 Thread Michael 
Hi Γιώργος,

On Wednesday, 23 December 2020 20:00:28 GMT Γιώργος Κωστόπουλος wrote:
> Hi!  :-)
> 
> I just downloaded the minimal installation ISO and I was trying the
> verification instructions.
> I admit that I'm not any kind of gpg expert, so the results are
> somewhat confusing to me.
> Can someone shed some light on them?
> 
> Here's console's output:
> >gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> gpg: Signature made Tue Dec 22 17:01:06 2020 EET
> gpg:using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
> gpg: Good signature from "Gentoo Linux Release Engineering (Automated
> Weekly Release Key) " [unknown]

This is telling you the 'install-amd64-
minimal-20201222T005811Z.iso.DIGESTS.asc' file which contains hashes of the 
various files listed in it, has a valid signature - i.e. the hashes of these 
files have not been tampered with and they have been signed by the owner of 
the Gentoo Release Engineering key.

Have a look here for the published developer keys:

https://wiki.gentoo.org/wiki/Project:RelEng


> gpg: WARNING: This key is not certified with a trusted signature!

This is telling you the above public key has not been marked as trusted in 
your own gpg keyring.


> gpg:  There is no indication that the signature belongs to the
> owner.

This is to be expected, unless you have checked the fingerprint of the 
imported key yourself against the keys published in the URL I provided above 
and thereafter edited the key's level of trust to mark it as trusted in your 
gpg keyring;  e.g. you'd need to run:

gpg --edit-key 

and follow the options available for this gpg subcommand to edit the key's 
trust level.  This is not necessary for a key you'll only use once, as long as 
you satisfy yourself the key fingerprint below matches what is published on 
the RelEng project page.


> Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E
> 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6
> 043D gpg: WARNING: not a detached signature; file
> 'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
> 
> and:
> >sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
> 
> install-amd64-minimal-20201222T005811Z.iso: OK
> install-amd64-minimal-20201222T005811Z.iso: FAILED
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
> install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
> sha512sum: WARNING: 14 lines are improperly formatted
> sha512sum: WARNING: 2 computed checksums did NOT match
> 
> 
> TIA!  :-)
> Giorgos.
> .

So the above output checked the sha512 hashes of all listed files and found 
some to be correct - you can use 'install-amd64-minimal-20201222T005811Z.iso' 
for your installation.  The failed checks above refer to a different hash e.g. 
sha256.

HTH.

signature.asc
Description: This is a digitally signed message part.

[gentoo-user] ISO verification question.

2020-12-23 Thread Γιώργος Κωστόπουλος 
Hi!  :-)

I just downloaded the minimal installation ISO and I was trying the
verification instructions.
I admit that I'm not any kind of gpg expert, so the results are
somewhat confusing to me.
Can someone shed some light on them?

Here's console's output:
>gpg --verify install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
gpg: Signature made Tue Dec 22 17:01:06 2020 EET
gpg:using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated
Weekly Release Key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6 043D
gpg: WARNING: not a detached signature; file
'install-amd64-minimal-20201222T005811Z.iso.DIGESTS' was NOT verified!
>
and:

>sha512sum -c install-amd64-minimal-20201222T005811Z.iso.DIGESTS.asc
install-amd64-minimal-20201222T005811Z.iso: OK
install-amd64-minimal-20201222T005811Z.iso: FAILED
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: OK
install-amd64-minimal-20201222T005811Z.iso.CONTENTS.gz: FAILED
sha512sum: WARNING: 14 lines are improperly formatted
sha512sum: WARNING: 2 computed checksums did NOT match
>

TIA!  :-)
Giorgos.
.