Re: CD verification key question

2016-06-22 Thread Neil Williams 
On Wed, 22 Jun 2016 17:42:36 + (UTC)
Grzegorz Bereta  wrote:

> Dear Sir or Madam,
> 
> I was trying to verify my Debian download following these
> instructions:
> 
> https://www.debian.org/CD/verify.en.html
> 
> and found the second part of the instructions (below) unclear:
> 
> "To ensure that the checksums files themselves are correct, use GnuPG
> to verify them against the accompanying signature files (e.g.
> MD5SSUMS.sign). The keys used for these signatures are all in the
> Debian GPG keyring and the best way to check them is to use that
> keyring to validate via the web of trust"
> 
> My understanding of the above is that I need keys to decipher the
> X.sign file so that I can compare it with the checksum file. Don't I
> need a KeyID to get the proper key? Where/how do I get it? 

0: You can simply use the checksums.
1: You can also verify the GnuPG signature without needing a GnuPG key
of your own with gpg --verify X.sign
2: You can verify the key used to make the GnuPG signature if you
already have a GnuPG key and which is part of the web of trust.

GnuPG handles the .sign file, that stage does not need you to have a
GnuPG key. The signature itself does not contain anything you can
compare with the checksum file yourself. GnuPG verifies that the
checksum file is the same as it was when the signature was created and
provides information about the key used to make that signature. The
verification of that key is then down to your link into the GnuPG web
of trust.

Without a key of your own (or with a key which doesn't have a link into
the web of trust) you still get verification that the checksum file is
valid and that the signature is valid. The fingerprint of the key used
to create the signature is printed when gpg verifies the X.sign file.
This fingerprint can be verified by looking up the key on keyservers to
ensure that the fingerprint on the debian website is correct.

With MD5SUMS and MD5SUMS.sign in the same directory:

$ gpg --verify --verbose MD5SUMS.sign 
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B

From the website, the fingerprint of the key with the short ID 6294BE9B
is DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

(collapse the fingerprint, taking out the spaces)

$ gpg --keyring keyring.debian.org --recv-key 
DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: key 6294BE9B: public key "Debian CD signing key 
" imported
gpg: Total number processed: 1
gpg:   imported: 1  (RSA: 1)

If your key is not in the web of trust (or if you haven't updated your
local gpg trust settings since importing this key), you'll get:

$ gpg --verify MD5SUMS.sign 
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B
gpg: please do a --check-trustdb
gpg: Good signature from "Debian CD signing key "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

My key is part of the web of trust (I've been fortunate enough to get
signatures from Steve and a few dozen other people in the Debian
keyring), so I can proceed to:

$ gpg: --check-trustdb
$ gpg --verify MD5SUMS.sign 
gpg: assuming signed data in `MD5SUMS'
gpg: Signature made Sun 05 Jun 2016 16:59:39 BST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key "

Yes, the gpg interface is obscure and quite unhelpful. It is important
to receive keys using the full fingerprint, not the short key id which
is (sadly) all that gpg --verify outputs until the key has already been
imported.

Other steps you can do are:

$ gpg --recv-key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
(this just updates the key from other keyservers, in case it's been
revoked without being updated on keyring.debian.org)

You can google the fingerprint(s) from
https://www.debian.org/CD/verify.en.html which brings up a range of
sites giving you something like the above set of commands with a bit more 
background.
e.g.
https://linuxconfig.org/how-to-verify-an-authenticity-of-downloaded-debian-iso-images



-- 


Neil Williams
=
http://www.linux.codehelp.co.uk/



pgpTDUrEw8XiX.pgp
Description: OpenPGP digital signature

Re: CD verification key question

2016-06-22 Thread Steve McIntyre 
On Wed, Jun 22, 2016 at 05:42:36PM +, Grzegorz Bereta wrote:
>Dear Sir or Madam,
>
>I was trying to verify my Debian download following these instructions:
>
>https://www.debian.org/CD/verify.en.html
>
>and found the second part of the instructions (below) unclear:
>
>"To ensure that the checksums files themselves are correct, use GnuPG
>to verify them against the accompanying signature files
>(e.g. MD5SSUMS.sign). The keys used for these signatures are all in
>the Debian GPG keyring and the best way to check them is to use that
>keyring to validate via the web of trust"
>
>My understanding of the above is that I need keys to decipher the X.sign file 
>so that I can compare it with the checksum file. Don't I need a KeyID to
>get the proper key? Where/how do I get it? 

In that same page, the keys are listed immediately below what you've
just quoted:

pub   4096R/64E6EA7D 2009-10-03
  Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid  Debian CD signing key 

pub   4096R/6294BE9B 2011-01-05
  Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid  Debian CD signing key 
sub   4096R/11CD9819 2011-01-05

pub   4096R/09EA8AC3 2014-04-15
  Key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
uid  Debian Testing CDs Automatic Signing Key 

sub   4096R/6BD05CFB 2014-04-15

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"Managing a volunteer open source project is a lot like herding
 kittens, except the kittens randomly appear and disappear because they
 have day jobs." -- Matt Mackall