Re: [qubes-users] how to check integrity about DVD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-05-22 23:13, Jean-Philippe Ouellet wrote: > On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong wrote: >> On 2017-05-16 16:42, h...@e.shapoo.ch wrote: >>> I verified signature about qubes ISO file by gpg.Then I burned it to DVD. >>> But I can't trust that DVD was burned without corruption. >>> So I want to verify integrity against the DVD too. >>> >>> Is someone know how to verify signature against DVD? >>> >>> >>> At moment, I want my privacy to be protected. >>> https://mytemp.email/ >>> >> >> I'm not aware of a method to gpg --verify an ISO directly from a DVD >> after it has been burned, but you can re-create the ISO from the DVD, >> [1] then gpg --verify the re-created ISO. [2] >> >> >> [1] >> https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux >> >> [2] If you're worried that the re-created ISO might not truly represent >> what's on the DVD because you're worried that your software environment >> might be compromised and lying to you, then I'd point out that the same >> compromised software environment could also lie to you about the results >> of verifying the DVD directly. > > IIRC it is legal and works as expected to pass a block device as the > file to be verified with gpg, e.g. > $ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0 > I could never get it to work for some reason. > However, I know I have just done: > $ sudo cat /dev/sr0 | sha256sum - > and compared against a known-good hash. > or > $ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum - > in the case of larger devices (like flash drives) which do not report > a certain size (like burned DVDs), and then verified that the rest of > the media is zeroes (dd skip=...) because I'm paranoid like that and > don't know what might read past the end of intentionally written data > and what parsers it might reach. > > I'm happy to be corrected, but I do not see the need for re-creating > an ISO on your disk unless you find your DVD to be wrong and want to > do some forensics. > I mean, either way you're reading the contents of the disc. It's just a matter of whether you write them (back) to the disk or pipe them directly to whichever program is doing the verification, right? I don't see any meaningful security gain from piping directly, since a compromised environment could still be lying to you. Since I make lots of mistakes, though, I'd probably prefer to have it on the disk so that I don't have to re-read the whole disc when I inevitably screw up the verification step the first time. :) > Non-write-once media, or media with embedded computing capability and > persistent and mutable state (like flash drives) have other concerns > however.\ > > Cheers, > Jean-Philippe > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJZI8giAAoJENtN07w5UDAwpugP/RNrf1MQD34UhqENsuvbLcJx uI+MGYXcQLHLwdi42VdWnwQmwX6gcUISp3O58yFAcT7wRUL/5ZfatrtKyFiPlDAZ 3Y/EVXsvlnLMOuqkoKOpzIMH9vM8HjmBDr12PW2wsy2bKxHetkoKMWbkOZXNEjhk uldVde04/oX1U4aCgRLfICeYoGd66cgM+93IKTnRKf6p1gF8zAzx41NX6jskWYPx 9Q1cvm64ruAGuYNMobWJDyjQV7kni1iS35Y8ll1h4BAcUDDGoG1tM7239hW3KDPR PF7SBGZPn9XTzb2GqsphZOYeRNVE8C5JN6Ld8slfW1xhI9WYNo7IvddSYvlQfhdc 0pxXkG8WutknUZVXoKbtnl9Y4uIgpXPFQQHuPH2FOjN/C8T8v2vgFg5p6g5N8uls 4zbm+/TGh9I7Hb/2vILR5uR/uEx04P0l0dp2wHJF4Zkc4/MBM4XIRhk7HnlDAyLW pJhRRmLzLLUoiFq08kApp3NyMH/DImC4FyNLqvqWsaoddf4b/5lf64M6RATIkr/x 1zipb0k54/+T62IQLgPq24MdIFJk8p8XpMpn0nRhEOSRkmZfqOrN7NfNyeRGQVbt JU6TsoYcZW+Q5syBNCN22xbr0aJSfvw9+ccBisPKIV6heaEMsU85gJCZat6HTREI JMLhZEoUnrTxYXr3ieuI =nHiv -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc3da9ba-160c-7039-c56e-ea8bdb0b5ab5%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to check integrity about DVD
On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong wrote: > On 2017-05-16 16:42, h...@e.shapoo.ch wrote: >> I verified signature about qubes ISO file by gpg.Then I burned it to DVD. >> But I can't trust that DVD was burned without corruption. >> So I want to verify integrity against the DVD too. >> >> Is someone know how to verify signature against DVD? >> >> >> At moment, I want my privacy to be protected. >> https://mytemp.email/ >> > > I'm not aware of a method to gpg --verify an ISO directly from a DVD > after it has been burned, but you can re-create the ISO from the DVD, > [1] then gpg --verify the re-created ISO. [2] > > > [1] > https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux > > [2] If you're worried that the re-created ISO might not truly represent > what's on the DVD because you're worried that your software environment > might be compromised and lying to you, then I'd point out that the same > compromised software environment could also lie to you about the results > of verifying the DVD directly. IIRC it is legal and works as expected to pass a block device as the file to be verified with gpg, e.g. $ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0 However, I know I have just done: $ sudo cat /dev/sr0 | sha256sum - and compared against a known-good hash. or $ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum - in the case of larger devices (like flash drives) which do not report a certain size (like burned DVDs), and then verified that the rest of the media is zeroes (dd skip=...) because I'm paranoid like that and don't know what might read past the end of intentionally written data and what parsers it might reach. I'm happy to be corrected, but I do not see the need for re-creating an ISO on your disk unless you find your DVD to be wrong and want to do some forensics. Non-write-once media, or media with embedded computing capability and persistent and mutable state (like flash drives) have other concerns however.\ Cheers, Jean-Philippe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_AjWCoQG5-XtTMJb%3DuCkwN2o-tJJZMoThFgjyG%2BmXx4tA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to check integrity about DVD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-05-16 16:42, h...@e.shapoo.ch wrote: > I verified signature about qubes ISO file by gpg.Then I burned it to DVD. > But I can't trust that DVD was burned without corruption. > So I want to verify integrity against the DVD too. > > Is someone know how to verify signature against DVD? > > > At moment, I want my privacy to be protected. > https://mytemp.email/ > I'm not aware of a method to gpg --verify an ISO directly from a DVD after it has been burned, but you can re-create the ISO from the DVD, [1] then gpg --verify the re-created ISO. [2] [1] https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux [2] If you're worried that the re-created ISO might not truly represent what's on the DVD because you're worried that your software environment might be compromised and lying to you, then I'd point out that the same compromised software environment could also lie to you about the results of verifying the DVD directly. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJZG6pOAAoJENtN07w5UDAwf7YP/R3gWzc2mW6GVsq2844zpg89 HhoskgCi3MZF3pdMYMjnteW8JFLUZf2e8+ow4XWmVu8IevnbDucjEm7WvNV3YnDh D0HFy0e1eujnqi4gCtYqpHtV+kWZ+zMho+LX4Dq29y2FHEpdmFWSx3Ga6LLpMnSN uI2XmjVp8Vw1cxJGkch8hyDnAbVOOOAMdPN5XBy35OfsJUAutSxFua7p7uu7EBgb BV2syv1UE+9Hqcy32Pwd2dvOM3ltVfXj8POQ0sBBovpm4ujW0A/aCvKSsJvyOIi9 Z0PqpudpkoxcBxPSLa/oPor6S2UQqJJeLoRPxjFJWThrfNbwKO6kn9jAfJgmdTQ+ /IduIrLYTw2tOoGMn0Cknj9D6/Z4QUdXp94+bKT+hfNFpo1Fp74AAIrHuM1PW4iJ J8xVm+3OUywEYbhbqIdk4TakrmZR5QSJi6jKVwIJTPruxRIswRM5w/C66KSzrdmg wCtgH5Ac1HwRhvaJjG44+/CPLlJlJhQy1MhjIWWX+1FHULunNSJyJs0h56790MBA Pwrwml9ifjGHRDmrsZKfNydVm4FEvTIHWBLjSjEPjs3z3Brzak56Imw3j4WlxFYp wPfCLUBrUTgLXt+UEWixmzUHio79y/cmnzZASoGsDR4vcv9mIgsngNsC37Dgc50r AceMgYRugTRLgUiNaBA6 =xE79 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fa0cecdd-df29-b31a-4928-1c8cee2f20ad%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] how to check integrity about DVD
I verified signature about qubes ISO file by gpg.Then I burned it to DVD. But I can't trust that DVD was burned without corruption. So I want to verify integrity against the DVD too. Is someone know how to verify signature against DVD? At moment, I want my privacy to be protected. https://mytemp.email/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1494970932337-322211b7-79bd7da6-a7257b48%40e.shapoo.ch. For more options, visit https://groups.google.com/d/optout.