-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-05-22 23:13, Jean-Philippe Ouellet wrote: > On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong <[email protected]> wrote: >> On 2017-05-16 16:42, [email protected] wrote: >>> I verified signature about qubes ISO file by gpg.Then I burned it to DVD. >>> But I can't trust that DVD was burned without corruption. >>> So I want to verify integrity against the DVD too. >>> >>> Is someone know how to verify signature against DVD? >>> >>> >>> At moment, I want my privacy to be protected. >>> https://mytemp.email/ >>> >> >> I'm not aware of a method to gpg --verify an ISO directly from a DVD >> after it has been burned, but you can re-create the ISO from the DVD, >> [1] then gpg --verify the re-created ISO. [2] >> >> >> [1] >> https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux >> >> [2] If you're worried that the re-created ISO might not truly represent >> what's on the DVD because you're worried that your software environment >> might be compromised and lying to you, then I'd point out that the same >> compromised software environment could also lie to you about the results >> of verifying the DVD directly. > > IIRC it is legal and works as expected to pass a block device as the > file to be verified with gpg, e.g. > $ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0 >
I could never get it to work for some reason. > However, I know I have just done: > $ sudo cat /dev/sr0 | sha256sum - > and compared against a known-good hash. > or > $ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum - > in the case of larger devices (like flash drives) which do not report > a certain size (like burned DVDs), and then verified that the rest of > the media is zeroes (dd skip=...) because I'm paranoid like that and > don't know what might read past the end of intentionally written data > and what parsers it might reach. > > I'm happy to be corrected, but I do not see the need for re-creating > an ISO on your disk unless you find your DVD to be wrong and want to > do some forensics. > I mean, either way you're reading the contents of the disc. It's just a matter of whether you write them (back) to the disk or pipe them directly to whichever program is doing the verification, right? I don't see any meaningful security gain from piping directly, since a compromised environment could still be lying to you. Since I make lots of mistakes, though, I'd probably prefer to have it on the disk so that I don't have to re-read the whole disc when I inevitably screw up the verification step the first time. :) > Non-write-once media, or media with embedded computing capability and > persistent and mutable state (like flash drives) have other concerns > however.\ > > Cheers, > Jean-Philippe > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZI8giAAoJENtN07w5UDAwpugP/RNrf1MQD34UhqENsuvbLcJx uI+MGYXcQLHLwdi42VdWnwQmwX6gcUISp3O58yFAcT7wRUL/5ZfatrtKyFiPlDAZ 3Y/EVXsvlnLMOuqkoKOpzIMH9vM8HjmBDr12PW2wsy2bKxHetkoKMWbkOZXNEjhk uldVde04/oX1U4aCgRLfICeYoGd66cgM+93IKTnRKf6p1gF8zAzx41NX6jskWYPx 9Q1cvm64ruAGuYNMobWJDyjQV7kni1iS35Y8ll1h4BAcUDDGoG1tM7239hW3KDPR PF7SBGZPn9XTzb2GqsphZOYeRNVE8C5JN6Ld8slfW1xhI9WYNo7IvddSYvlQfhdc 0pxXkG8WutknUZVXoKbtnl9Y4uIgpXPFQQHuPH2FOjN/C8T8v2vgFg5p6g5N8uls 4zbm+/TGh9I7Hb/2vILR5uR/uEx04P0l0dp2wHJF4Zkc4/MBM4XIRhk7HnlDAyLW pJhRRmLzLLUoiFq08kApp3NyMH/DImC4FyNLqvqWsaoddf4b/5lf64M6RATIkr/x 1zipb0k54/+T62IQLgPq24MdIFJk8p8XpMpn0nRhEOSRkmZfqOrN7NfNyeRGQVbt JU6TsoYcZW+Q5syBNCN22xbr0aJSfvw9+ccBisPKIV6heaEMsU85gJCZat6HTREI JMLhZEoUnrTxYXr3ieuI =nHiv -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc3da9ba-160c-7039-c56e-ea8bdb0b5ab5%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
