Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to verify Gentoo downloads in MS Windows by gpg4win
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
midnite
Apprentice
Apprentice


Joined: 09 Apr 2006
Posts: 256
Location: Hong Kong

PostPosted: Tue Nov 17, 2015 2:31 am    Post subject: How to verify Gentoo downloads in MS Windows by gpg4win Reply with quote

In fact I had several experiences of installing Gentoo. But this time I wish to verify the minimal installation CDs ISOs in the MS Windows (yes, i didn't do it before :P).

I followed the Installation Handbook until this step:

Quote:
Verifying the downloaded files

Through the .DIGESTS and .DIGESTS.asc files, the validity of the ISO file can be confirmed using the right set of tools. This verification is usually done in two steps:

First, the cryptographic signature is validated to make sure that the installation file is provided by the Gentoo Release Engineering team
If the cryptographic signature validates, then the checksum is verified to make sure that the downloaded file itself is not corrupted

Microsoft Windows based verification

On a Microsoft Windows system, chances are low that the right set of tools to verify checksums and cryptographic signatures are in place.

To first verify the cryptographic signature, tools such as GPG4Win can be used. After installation, the public keys of the Gentoo Release Engineering team need to be imported. The list of keys is available on the signatures page. Once imported, the user can then verify the signature of the .DIGESTS.asc file.

Important

This does not verify that the .DIGESTS file is correct, only that the .DIGESTS.asc file is. That also implies that the checksum should be verified against the values in the .DIGESTS.asc file, which is why the instructions above only refer to downloading the .DIGESTS.asc file.


The checksum itself can be verified using the Hashcalc application, although many others exist as well. Most of the time, these tools will show the user the calculated checksum, and the user is requested to verify this checksum with the value that is inside the .DIGESTS.asc file.


I have downloaded and installed GPG4Win (full install). After installation, how can I import the public keys of the Gentoo Release Engineering team to verify the downloads?

Sorry as I know this is quite a n00b question :?
_________________
i love meaningful forums. thats why i am here =]
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 260
Location: Milan, IT

PostPosted: Tue Nov 17, 2015 12:45 pm    Post subject: Reply with quote

Hi midnite
with gpg4win you can follow the instructions provided in https://www.gentoo.org/downloads/signatures/ using the MS CMD instead of the terminal
note that GPG signature guarantees integrity of the hashes inside the DIGEST file, not the downloaded files themselves
Here is an example of what to do:
  • download the ISO/stage3 files with the CONTENT and DIGESTs
  • import the GPG keys
    Code:
    C:\Users\dir>gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910

  • verify the signature
    Code:
    C:\Users\dir>gpg --verify install-amd64-minimal-20150924.iso.DIGEST.asc

    if you get
    Code:
    gpg: Good signature from "Gentoo Linux Release Engineering"
    signature is verified, you can trust hashes inside the message
  • verify the integrity using SHA512 Algorithm
    you can use "CertUtil", which is a preinstalled Windows tool that can do this job:
    Code:
    C:\Users\dir>certutil -hashfile install-amd64-minimal-20150
    924.iso SHA512
    You only have to delete surplus spaces... :roll:

Sure there are tons of better solutions (GPG4WIN should come with Kleopatra GUI, right? :wink: )

Regards
Back to top
View user's profile Send private message
midnite
Apprentice
Apprentice


Joined: 09 Apr 2006
Posts: 256
Location: Hong Kong

PostPosted: Wed Nov 18, 2015 2:35 am    Post subject: Reply with quote

kikko wrote:
Hi midnite
with gpg4win you can follow the instructions provided in https://www.gentoo.org/downloads/signatures/ using the MS CMD instead of the terminal
note that GPG signature guarantees integrity of the hashes inside the DIGEST file, not the downloaded files themselves
Here is an example of what to do:
  • download the ISO/stage3 files with the CONTENT and DIGESTs
  • import the GPG keys
    Code:
    C:\Users\dir>gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910

  • verify the signature
    Code:
    C:\Users\dir>gpg --verify install-amd64-minimal-20150924.iso.DIGEST.asc

    if you get
    Code:
    gpg: Good signature from "Gentoo Linux Release Engineering"
    signature is verified, you can trust hashes inside the message
  • verify the integrity using SHA512 Algorithm
    you can use "CertUtil", which is a preinstalled Windows tool that can do this job:
    Code:
    C:\Users\dir>certutil -hashfile install-amd64-minimal-20150
    924.iso SHA512
    You only have to delete surplus spaces... :roll:

Sure there are tons of better solutions (GPG4WIN should come with Kleopatra GUI, right? :wink: )

Regards


Thanks Kikko! Thank you very much for your kindly help!

It would be my problem didn't think of using CMD in Windows. :roll:

I have verified all the way through, but getting some warnings, is there anything to worry about?

Code:
C:\Program Files (x86)\GNU\GnuPG>gpg2 --verify H:\download\Gentoo\Installation\install-amd64-minimal-20150924.iso.DIGESTS.asc
gpg: Signature made 09/25/15 09:49:27 China Standard Time using RSA key ID 2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
gpg: WARNING: not a detached signature; file 'H:\download\Gentoo\Installation\install-amd64-minimal-20150924.iso.DIGESTS' was NOT verified!

_________________
i love meaningful forums. thats why i am here =]
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 260
Location: Milan, IT

PostPosted: Wed Nov 18, 2015 9:29 pm    Post subject: Reply with quote

Hi midnite
let's see..
  • Code:
    gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]

    This is the good part, signature is ok thus content of file has not been altered
  • Code:
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

    This means you haven't choosed the level of trust of that GPG key, thus GnuPG doesn't know how much you trust the issuer (there are 5 levels of trust)
    You can do it on Kleopatra ("Other Certificates" tab) or using gpg directly in CMD
    Code:
    C:\somewhere\in\windowsland>gpg --edit-key [key id]
    gpg (GnuPG) 2.1.9; Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    [details about the key]

    gpg>trust
    Please decide how far you trust this user to correctly verify other users' keys
    (by looking at passports, checking fingerprints from different sources, etc.)

      1 = I don't know or won't say
      2 = I do NOT trust
      3 = I trust marginally
      4 = I trust fully
      5 = I trust ultimately
      m = back to the main menu

    Cosa hai deciso? 4


  • Code:
    gpg: WARNING: not a detached signature; file 'H:\download\Gentoo\Installation\install-amd64-minimal-20150924.iso.DIGESTS' was NOT verified!

    The latter indicates that a file named "install-amd64-minimal-20150924.iso.DIGESTS" was also in the same folder along with the file.asc you checked; no need to worry about that, since verified content is in the .asc file

Regards
_________________
Regards

root is the root of all evil
Back to top
View user's profile Send private message
midnite
Apprentice
Apprentice


Joined: 09 Apr 2006
Posts: 256
Location: Hong Kong

PostPosted: Thu Nov 19, 2015 2:35 am    Post subject: Reply with quote

Thank you very much, again!!

In the Kleopatra GUI, under the "Other Certificates" tab, I have changed "Change Owner Trust..." to "Full Trust". Then I verify again and the same warning is shown.

I check in the command line:

Code:
c:\Program Files (x86)\GNU\GnuPG>gpg2 --edit-key 2D182910
gpg (GnuPG) 2.0.29; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  4096R/2D182910  created: 2009-08-25  expires: 2017-08-25  usage: SC
                     trust: full          validity: unknown
[ unknown] (1). Gentoo Linux Release Engineering (Automated Weekly Release Key)
<releng@gentoo.org>

gpg> trust
pub  4096R/2D182910  created: 2009-08-25  expires: 2017-08-25  usage: SC
                     trust: full          validity: unknown
[ unknown] (1). Gentoo Linux Release Engineering (Automated Weekly Release Key)
<releng@gentoo.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  4096R/2D182910  created: 2009-08-25  expires: 2017-08-25  usage: SC
                     trust: full          validity: unknown
[ unknown] (1). Gentoo Linux Release Engineering (Automated Weekly Release Key)
<releng@gentoo.org>

gpg> save
Key not changed so no update needed.

c:\Program Files (x86)\GNU\GnuPG>


And I verify again, and the same warning is still there.

In the command line, it says
Code:
validity: unknown


I wonder if this is the reason? How can I change the validity?

Regards.
_________________
i love meaningful forums. thats why i am here =]
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 260
Location: Milan, IT

PostPosted: Fri Nov 20, 2015 7:05 pm    Post subject: Reply with quote

Hi midnite
the "validity" is another check you can make on key, "certifying" that the key is valid by sign it with your GPG key

For a detailed explanation you can look here

Regards
_________________
Regards

root is the root of all evil
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum