Re: Checking SHA256SUMS against SHA256SUMS.sign .

On Wed, Feb 29, 2012 at 02:29:33AM +0700, Sthu Deus wrote:
Good time of the day.


I try to check live CDs SHA256SUMS against SHA256SUMS.sign:

under normal user:
gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: directory `/home/__/gue/.gnupg' created
gpg: new configuration file `/home/__/gue/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/__/gue/.gnupg/gpg.conf' are not yet
active during this run gpg: keyring `/home/__/gue/.gnupg/pubring.gpg'
created gpg: Signature made Mon 17 Oct 2011 07:55:55 PM GMT-7 using RSA
key ID 6CA7B5A6 gpg: Can't check signature: public key not found


then by root user:

# gpg --recv-key --keyserver subkeys.pgp.net 6CA7B5A6 && gpg
--verify ./SHA256SUMS.sign gpg: requesting key 6CA7B5A6 from hkp server
subkeys.pgp.net gpg: key 6CA7B5A6: "Debian Live Signing Key
<debian-live@xxxxxxxxxxxxxxxx>" not changed gpg: Total number
processed: 1 gpg: unchanged: 1
gpg: no signed data
gpg: can't hash datafile: file open error


Now, under normal user:

$ gpg --verify SHA256SUMS.sign SHA256SUMS
gpg: Signature made Mon 17 Oct 2011 07:55:55 PM GMT-7 using RSA key ID
6CA7B5A6 gpg: Good signature from "Debian Live Signing Key
<debian-live@xxxxxxxxxxxxxxxx>" gpg: WARNING: This key is not certified
with a trusted signature! gpg: There is no indication that the
signature belongs to the owner. Primary key fingerprint: 696F 95F0 88E4
D359 947F 7AEB 6F95 B499 6CA7 B5A6


So, how I can fix these 2 errors:

"gpg: no signed data
gpg: can't hash datafile: file open error"

Apparently, you've told GPG where to find the signature, but not which
file to verify.

Let's start from the top. Firstly, you shouldn't need root permissions
for any of this. By changing to root, you'll be adding the key to root's
keyring not your own.

OK. Start by issuing " gpg --verify SHA256SUMS.sign SHA256SUMS". You get
some warnings and then "Can't check signature: public key not found".
This is fine.

Next, "gpg --recv-key --keyserver subkeys.pgp.net 6CA7B5A6". This
fetches a key matching the signing key's fingerprint from a server.
Again, do this as yourself so that it's in YOUR keyring.

Finally, "gpg --verify SHA256SUMS.sign SHA256SUMS" will verify the
signature. As you saw, you get "Good Signature from ...". This means
that SHA256SUMS is identical in content to when it was signed; the file
has not been tampered with. However, as you don't trust the key you just
downloaded, you don't know who signed the file.


"gpg: WARNING: This key is not certified
with a trusted signature! gpg: There is no indication that the
signature belongs to the owner."

To trust a key, the following algorithm is used (by default):
1. You have signed the key
2. The key has been signed by one fully trusted key
3. The key has been signed by three marginally trusted keys.

This is known as the "Web of Trust". You don't have to directly trust
every key you use, but you can rely on the fidelity of other users.

The easiest way to to this is, clearly, then, to sign the key you just
downloaded. To do this:
1. Arrange a meeting with the owner of they key. Bring at least one
photo ID and a printed fingerprint of your own Key.
2. Meet the key's owner face-to-face and, after verifying their
identity, exchange fingerprints.
3. Sign their key.
gpg --sign-key 6CA7B5A6
4. Upload the key back to the keyserver (so that other people how trust
you can now trust that key)
gpg --send-keys --keyserver subkeys.pgp.net 6CA7B5A6

Now, re-verifying the signature should confirm that you trust the
signature.

(Alternatively, if meeting up with the owner of the key is difficult,
you may find members of your local LUG have already signed the key and
you can use the marginal trust noted above).


--
Darac Marjal


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20120229120002.GC8039@xxxxxxxxxxxx

Relevant Pages

  • Re: Digital signatures
    ... After verifying this info I would sign the key to make ... (A signature can be marked as non-exportable, ... With a signature from my trusted key on John Doe's key, gpg now treats ... This info is propgated in the output sent to any plugin as well. ...
    (Fedora)
  • Re: PGP signatures.
    ... but could you tell a forged passport apart from a real ... Though I seriously doubt that most of use would be using gpg in a way ... your signature on a message guarantees that you sent it (actually ... Some PKI systems may indeed have them, ...
    (Fedora)
  • [PATCH 6/6] MODSIGN: Apply signature checking to modules on module load
    ... Apply signature checking to modules on module load, ... this is not a complete solution by any means: the core kernel is not ... checking the signature against a ring of public keys ... done by taking a GPG public key file, running it through the kernel's bin2c ...
    (Linux-Kernel)
  • Re: backports
    ... has the usual self signature: ... You have to tell gpg which key's signatures it should check. ... and they are also not on my user's default keyring, ... known until I point gpg to the Debian keyring. ...
    (Debian-User)
  • Re: backports
    ... gpg: checking the trustdb ... public key 3C093EEF is 29789 seconds newer than the signature ... How well do you think I can trust this debian-keyring_2006.10.11_all.deb package? ...
    (Debian-User)