Re: cannot find public key for verifying SHASUM file for debian live iso
Regarding whether keys used to sign debian-live releases are present (or not) in debian-keyring.gpg or debian-role-keys.gpg : On Mon, 11 Aug 2014, Francesco Ariis wrote: On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter? WRT debian-live, the thread below seems relevant. https://lists.debian.org/debian-live/2014/04/msg4.html Whether it casts light or shade is not clear to me. By the way, the key for checking the sig below seems to be missing from both debian-keyring.gpg and debian-role-keys.gpg : http://live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sig This, below, seems to be the key in question: [from http://www.debian.org/CD/verify] | To ensure that the checksums files themselves are correct, use GnuPG | to verify them against the accompanying signature files | (e.g. MD5SSUMS.sign). The keys used for these signatures are all in | the Debian GPG keyring and the best way to check them is to use that | keyring to validate via the web of trust. To make life easier for | users, here are the fingerprints for the keys that have been used for | releases in recent years (with some UIDs removed for clarity): [snipped some fingerprints/ids] | pub 4096R/A9B26DF5 2014-01-03 | Key fingerprint = 8A36 A2E8 91A5 C2A9 0DEB 7A8B 1239 00F2 A9B2 6DF5 | uid Live Systems Project debian-l...@lists.debian.org | sub 4096R/D0125917 2014-01-03 [snipped some more fingerprints/ids] I found this thread, which explains its absence from the keyring, for a certain interpretation of the term explain: https://lists.debian.org/debian-live/2014/03/msg00038.html -wes [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1408121805280.16...@brutus.ling.ohio-state.edu
Re: cannot find public key for verifying SHASUM file for debian live iso
On Tue, 12 Aug 2014, david...@ling.ohio-state.edu wrote: Regarding whether keys used to sign debian-live releases are present (or not) in debian-keyring.gpg or debian-role-keys.gpg : On Mon, 11 Aug 2014, Francesco Ariis wrote: On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter? WRT debian-live, the thread below seems relevant. https://lists.debian.org/debian-live/2014/04/msg4.html Whether it casts light or shade is not clear to me. By the way, the key for checking the sig below seems to be missing from both debian-keyring.gpg and debian-role-keys.gpg : http://live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sig This, below, seems to be the key in question: [from http://www.debian.org/CD/verify] | To ensure that the checksums files themselves are correct, use GnuPG | to verify them against the accompanying signature files | (e.g. MD5SSUMS.sign). The keys used for these signatures are all in | the Debian GPG keyring and the best way to check them is to use that | keyring to validate via the web of trust. To make life easier for | users, here are the fingerprints for the keys that have been used for | releases in recent years (with some UIDs removed for clarity): [snipped some fingerprints/ids] | pub 4096R/A9B26DF5 2014-01-03 | Key fingerprint = 8A36 A2E8 91A5 C2A9 0DEB 7A8B 1239 00F2 A9B2 6DF5 | uid Live Systems Project debian-l...@lists.debian.org | sub 4096R/D0125917 2014-01-03 [snipped some more fingerprints/ids] Just for the record, I checked the sig in question as follows: See what key ID I'm looking for: $ gpg --verify SHA512SUMS.sig gpg: Signature made Wed 16 Jul 2014 02:39:10 PM EDT using RSA key ID A9B26DF5 gpg: Can't check signature: public key not found Get the missing key: $ gpg --keyserver keys.gnupg.net --recv-keys A9B26DF5 gpg: requesting key A9B26DF5 from hkp server keys.gnupg.net gpg: key A9B26DF5: public key Live Systems Project debian-l...@lists.debian.org imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) Check the sig: $ gpg --verify SHA512SUMS.sig gpg: Signature made Wed 16 Jul 2014 02:39:10 PM EDT using RSA key ID A9B26DF5 gpg: Good signature from Live Systems Project debian-l...@lists.debian.org gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8A36 A2E8 91A5 C2A9 0DEB 7A8B 1239 00F2 A9B2 6DF5 And then I compared the fingerprint in the output immediately above to the corresponding fingerprint posted at http://debian.org/CD/verify . -wes I found this thread, which explains its absence from the keyring, for a certain interpretation of the term explain: https://lists.debian.org/debian-live/2014/03/msg00038.html -wes [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1408121928550.16...@brutus.ling.ohio-state.edu
cannot find public key for verifying SHASUM file for debian live iso
Good {evening,morning,afternoon}, fellow anglophones. I am running Wheezy, and I plan to prepare a debian live cd using this file: http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-7.6.0-amd64-standard.iso Before doing this, however, I would like to verify the authenticity of the SHA512SUMS file which I believe I obtained from here: http://live.debian.net/cdimage/release/stable/amd64/iso-hybrid/SHA512SUMS And so, to that end, I downloaded... http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign But I am stuck now, because I cannot find the corresponding public key, and don't know where to start looking for it. What I have done so far: I installed the debian-keyring package, and then I ran this: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. As mentioned above, I have installed the debian-keyring package, as advised here: http://www.debian.org/./CD/verify | To ensure that the checksums files themselves are correct, use GnuPG | to verify them against the accompanying signature files | (e.g. MD5SSUMS.sign). The keys used for these signatures are all in | the Debian GPG keyring http://keyring.debian.org/ [...] But that last part does not appear to be correct. gpgv told me it could not find the public key that will verify the sig for the SHA512SUMS file. The reason seems to be that /usr/share/keyrings/debian-keyring.gpg does not contain the public key in question. | [...] and the best way to check them is to use that keyring to | validate via the web of trust. I don't have the slightest idea what that last bit is supposed to mean, but I imagine it might not be important for my present goal. The following, from the same page, looks relevant: | To make life easier for users, here are the fingerprints for the | keys that have been used for releases in recent years (with some | UIDs removed for clarity): [snipped some key ids/fingerprints] pub 4096R/6294BE9B 2011-01-05 Key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key debian...@lists.debian.org sub 4096R/11CD9819 2011-01-05 [snipped some more key ids/fingerprints] As far as I can tell, this is encouraging, but not conclusive. To authenticate the signature on the file in question, I believe I need the corresponding public key itself. So, where can I obtain the public key one uses to verify the signature on the SHA512SUMS file for the debian live iso in question? Is there a way to use the information above to retrieve it? I assume that this should not be a difficult task, but I am finding it rather difficult. If someone could help me figure out how to do this, I would be grateful. Also, thank you for reading this far. -wes -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1408102153430.22...@brutus.ling.ohio-state.edu
Re: cannot find public key for verifying SHASUM file for debian live iso
david...@ling.ohio-state.edu wrote: Good {evening,morning,afternoon}, fellow anglophones. I am running Wheezy, and I plan to prepare a debian live cd using this file: http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-7.6.0-amd64-standard.iso Before doing this, however, I would like to verify the authenticity of the SHA512SUMS file which I believe I obtained from here: http://live.debian.net/cdimage/release/stable/amd64/iso-hybrid/SHA512SUMS And so, to that end, I downloaded... http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign But I am stuck now, because I cannot find the corresponding public key, and don't know where to start looking for it. What I have done so far: I installed the debian-keyring package, and then I ran this: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. I've always have good luck using the md5sum, open the console where the .iso is and type:$'md5sum debian-live-7.6.0-amd64-standard.iso' ,it's fast and easy. :) -- Jimmy Johnson Debian-Live - Wheezy - KDE 4.8.4 - AMD64 - EXT4 at sda1 Registered Linux User #380263 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e82fe0.3050...@gmail.com
Re: cannot find public key for verifying SHASUM file for debian live iso
On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter? [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify signature.asc Description: Digital signature
Re: cannot find public key for verifying SHASUM file for debian live iso
Hi Jimmy. Thank you for your reply. But please see below for comments. On Sun, 10 Aug 2014, Jimmy Johnson wrote: david...@ling.ohio-state.edu wrote: Good {evening,morning,afternoon}, fellow anglophones. I am running Wheezy, and I plan to prepare a debian live cd using this file: http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-7.6.0-amd64-standard.iso Before doing this, however, I would like to verify the authenticity of the SHA512SUMS file which I believe I obtained from here: [snipped lots of stuff] | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. I've always have good luck using the md5sum, open the console where the .iso is and type:$'md5sum debian-live-7.6.0-amd64-standard.iso' ,it's fast and easy. :) And then, if you were going that route, you would compare the result of that command with the corresponding hash in some reference file, probably named something like MD5SUMS. But, you might ask yourself, how do we know that the hashes in that reference file are from a trusted source? For that, you would look for a file called something like MD5SUMS.sig, which would be the result of signing MD5SUMS with someone's private key. You would then want to obtain the public keys of trusted sources, and then see which, if any, of those keys verified the signature in MD5SUMS.sig. It is this step that I am stalled at. I'm using sha512sums, not md5sums, but I would still be stalled, your advice notwithstanding, if I were using md5sums. I hope this clarifies what I am looking for. -wes -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1408110004160.23...@brutus.ling.ohio-state.edu
Re: cannot find public key for verifying SHASUM file for debian live iso
On Mon, 11 Aug 2014, Francesco Ariis wrote: On Sun, Aug 10, 2014 at 10:34:21PM -0400, david...@ling.ohio-state.edu wrote: | $ gpgv --keyring /usr/share/keyrings/debian-keyring.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Can't check signature: public key not found This was not the outcome I was hoping for, but I am not sure what to do next. Hello Wes, It seems the key ID 6294BE9B is found in /usr/share/keyring/debian-role-keys.gpg [1]; .iso should verify with that. Francesco, thank you! That worked much better: | $ gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg -vv -- SHA512SUMS.sign | gpgv: armor: BEGIN PGP SIGNATURE | gpgv: armor header: Version: GnuPG v1.4.12 (GNU/Linux) | :signature packet: algo 1, keyid DA87E80D6294BE9B | version 4, created 1406210061, md5len 0, sigclass 0x00 | digest algo 8, begin of digest fc 43 | hashed subpkt 2 len 4 (sig created 2014-07-24) | subpkt 16 len 8 (issuer key ID DA87E80D6294BE9B) | data: [4096 bits] | gpgv: assuming signed data in `SHA512SUMS' | gpgv: Signature made Thu 24 Jul 2014 09:54:21 AM EDT using RSA key ID 6294BE9B | gpgv: Good signature from Debian CD signing key debian...@lists.debian.org | gpgv: binary signature, digest algorithm SHA256 And the Debian CD signing key is a role key, of course. Makes perfect sense, in retrospect, when I read this: /usr/share/doc/debian-keyring/README | What the keyrings are | - [snip] | o debian-role-keys.gpg | | This is the keyring used to contain role account keys, such as | ftp-master (it contains the key used to sign the Release files | in the archive). I am grateful for your help. -wes I was thinking of writing a three line paragraph to make the wiki [2] more clear on the matter (i.e. provide the gpgv command with the specific file to pass to --keyring), but after reading this: Official role keys have gradually replaced the use of personal keys belonging to developers. However, a decision was made not to go back and re-sign all the old releases that were already signed using the older keys. I am unsure on whether Jessie and future releases will have their .iso signed by a key from debian-keyring.gpg or debian-role-keys.gpg. Can anyone shed light on the matter? [1] http://anonscm.debian.org/cgit/keyring/keyring.git/tree/debian-role-keys-gpg [2] http://www.debian.org/CD/verify -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1408110030190.23...@brutus.ling.ohio-state.edu