On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong <[email protected]> wrote: > On 2017-05-16 16:42, [email protected] wrote: >> I verified signature about qubes ISO file by gpg.Then I burned it to DVD. >> But I can't trust that DVD was burned without corruption. >> So I want to verify integrity against the DVD too. >> >> Is someone know how to verify signature against DVD? >> >> >> At moment, I want my privacy to be protected. >> https://mytemp.email/ >> > > I'm not aware of a method to gpg --verify an ISO directly from a DVD > after it has been burned, but you can re-create the ISO from the DVD, > [1] then gpg --verify the re-created ISO. [2] > > > [1] > https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux > > [2] If you're worried that the re-created ISO might not truly represent > what's on the DVD because you're worried that your software environment > might be compromised and lying to you, then I'd point out that the same > compromised software environment could also lie to you about the results > of verifying the DVD directly.
IIRC it is legal and works as expected to pass a block device as the file to be verified with gpg, e.g. $ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0 However, I know I have just done: $ sudo cat /dev/sr0 | sha256sum - and compared against a known-good hash. or $ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum - in the case of larger devices (like flash drives) which do not report a certain size (like burned DVDs), and then verified that the rest of the media is zeroes (dd skip=...) because I'm paranoid like that and don't know what might read past the end of intentionally written data and what parsers it might reach. I'm happy to be corrected, but I do not see the need for re-creating an ISO on your disk unless you find your DVD to be wrong and want to do some forensics. Non-write-once media, or media with embedded computing capability and persistent and mutable state (like flash drives) have other concerns however.\ Cheers, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_AjWCoQG5-XtTMJb%3DuCkwN2o-tJJZMoThFgjyG%2BmXx4tA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
