Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Key signatures are not what they should be.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
msulli1355
Apprentice
Apprentice


Joined: 24 Nov 2005
Posts: 179
Location: OKlahoma, USA

PostPosted: Wed Apr 27, 2016 10:00 pm    Post subject: Key signatures are not what they should be. Reply with quote

I'm trying (desperately) to install Gentoo on a new computer and move my files off this one before this one dies. The new machine is 64bit. Having never installed Gentoo on a 64bit (I've only worked with 32bit machines) I'm rather excited to see what it can do. After the new machine failed to boot two 64bit LiveDVDs I burned with the amd64 image on them, I wrote to one of my linux lists and a guy there said that he prefers booting off USB sticks. I followed all the instructions on

https://wiki.gentoo.org/wiki/LiveUSB/Guide

to make a bootable USB stick, but it wouldn't boot either on the new box. I remembered that someone on the other linux list said to make sure that the files are verified, so I looked up in the handbook how to verify the files.

After issuing several gpg commands, I found that the signatures are not what they should be.

michael@camille ~ $ gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xBB572E0E2D182910
gpg: requesting key 2D182910 from hkp server hkps.pool.sks-keyservers.net
gpg: key 2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
michael@camille ~ $ gpg --verify install-amd64-minimal-20160414.iso.DIGESTS.asc
gpg: Signature made Fri 15 Apr 2016 10:32:55 AM CDT using RSA key ID 2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
gpg: WARNING: not a detached signature; file 'install-amd64-minimal-20160414.iso.DIGESTS' was NOT verified!
michael@camille ~ $ grep -A 1 -i sha512 install-amd64-minimal-20160414.iso.DIGESTS.asc
# SHA512 HASH
ba28f6d8eab3d13c24ba825f1e739b9f3537a72796e261f6ea6c9e0a7c7a0f6d67ee8252c2a339cd5fe38315d83af0f19d562f333dcfd72b5ec7949547f993b8 install-amd64-minimal-20160414.iso
--
# SHA512 HASH
7424ef5c281d88c9ec73ac239a53b783034aa1d4a43c94ac2072167eaf4dbc16c3999d6d254a44d30a148c9e748a542404dc789e952ace33fa0f063d9d02e5a6 install-amd64-minimal-20160414.iso.CONTENTS
michael@camille ~ $

I got the files from https://www.gentoo.org/downloads/ What should I do?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Apr 27, 2016 11:23 pm    Post subject: Re: Key signatures are not what they should be. Reply with quote

msulli1355 wrote:
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]

msulli1355 ... so, the signature is "good".

msulli1355 wrote:
gpg: WARNING: This key is not certified with a trusted signature!

That is simply about 'trust' ... you don't know who the signature was created by.

msulli1355 wrote:
gpg: WARNING: not a detached signature; file 'install-amd64-minimal-20160414.iso.DIGESTS' was NOT verified!

You don't need both the *.DIGESTS.asc and the *.DIGESTS ...

The Gentoo Handbook wrote:
* A .DIGESTS.asc file that, like the .DIGESTS file, contains checksums of the stage file in different algorithms, but is also cryptographically signed to ensure it is provided by the Gentoo project.

You need to use the digest to verify the *.iso

Code:
# rm -f install-amd64-minimal-20160414.iso.DIGESTS
# gpg --verify install-amd64-minimal-20160414.iso.DIGESTS.asc
# sha512sum -c install-amd64-minimal-20160414.iso.DIGESTS.asc

HTH & best ... khay
Back to top
View user's profile Send private message
msulli1355
Apprentice
Apprentice


Joined: 24 Nov 2005
Posts: 179
Location: OKlahoma, USA

PostPosted: Wed Apr 27, 2016 11:31 pm    Post subject: Reply with quote

So are you saying that this ISO file it legitimate? I couldn't really understand. If it's legitimate, then I don't need to notify anybody that it's not...
Back to top
View user's profile Send private message
msulli1355
Apprentice
Apprentice


Joined: 24 Nov 2005
Posts: 179
Location: OKlahoma, USA

PostPosted: Wed Apr 27, 2016 11:35 pm    Post subject: Reply with quote

I don't think it is legitimate.

michael@camille ~ $ gpg --verify install-amd64-minimal-20160414.iso.DIGESTS.asc
gpg: Signature made Fri 15 Apr 2016 10:32:55 AM CDT using RSA key ID 2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
michael@camille ~ $ sha512sum -c install-amd64-minimal-20160414.iso.DIGESTS.asc
install-amd64-minimal-20160414.iso: OK
install-amd64-minimal-20160414.iso: FAILED
sha512sum: install-amd64-minimal-20160414.iso.CONTENTS: No such file or directory
install-amd64-minimal-20160414.iso.CONTENTS: FAILED open or read
sha512sum: install-amd64-minimal-20160414.iso.CONTENTS: No such file or directory
install-amd64-minimal-20160414.iso.CONTENTS: FAILED open or read
sha512sum: WARNING: 20 lines are improperly formatted
sha512sum: WARNING: 2 listed files could not be read
sha512sum: WARNING: 1 computed checksum did NOT match
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Apr 28, 2016 12:09 am    Post subject: Reply with quote

msulli1355 wrote:
So are you saying that this ISO file it legitimate? I couldn't really understand. If it's legitimate, then I don't need to notify anybody that it's not...

msulli1355 ... the signature yes ... as far as the checksums are concerned what you need to compare is the hash, so from the above 'grep' the DIGESTS contains:

msulli1355 wrote:
# SHA512 HASH
ba28f6d8eab3d13c24ba825f1e739b9f3537a72796e261f6ea6c9e0a7c7a0f6d67ee8252c2a339cd5fe38315d83af0f19d562f333dcfd72b5ec7949547f993b8 install-amd64-minimal-20160414.iso

So, is this the same as the output of 'sha512sum install-amd64-minimal-20160414.iso' ... if it is then the iso is fine.

best ... khay
Back to top
View user's profile Send private message
CodeCodeCodeDurrr
n00b
n00b


Joined: 02 Jul 2016
Posts: 1

PostPosted: Sat Jul 02, 2016 11:23 pm    Post subject: Reply with quote

So why is it being signed without a trusted signature? That seems a bit janky.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Sun Jul 03, 2016 12:13 am    Post subject: Reply with quote

CodeCodeCodeDurrr wrote:
So why is it being signed without a trusted signature? That seems a bit janky.

Complain to the GnuPG authors for having stricter trust defaults than the web browser PKI (Do *you* trust those 200 CAs? Even Comodo and CNNIC? Have you verified them personally, or disabled the ones you don't? Of course not.)
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sun Jul 03, 2016 12:20 am    Post subject: Reply with quote

CodeCodeCodeDurrr - you should take a look at the gnupg website, ask questions after that ... your system trusts a signature you tell it to trust ;)

Ed: there is a lot of difference in context between trusting an iso image for installing a system and trusting a website for a transaction. If the iso is compromise you can not trust the system at all ... ever ;)
If a certificate is compromised that affects the website you use with your browser which uses that certificate. You can be shafted by both but the impact of being shafted by both is different ...

Having the option to check things out yourself rather than having a dumb-ass accept everything default is nice 8)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Sun Jul 03, 2016 8:18 am    Post subject: Reply with quote

msulli1355,

There are two separate issues here.

The first is, did you get the ISO unchanged from the time it was signed. The answer is yes. Good Signature.

The second is, do you trust that the signer was who they claimed to be. That's much harder to answer. It depends on the 'web of trust' between you and the gpg key used to sign the ISO.
gnupgp is warning that the 'web of trust' between you and the gpg key used to sign the ISO does not exist, or is not good enough.
As Ant P. said, why do you trust the CA root certificates you already have installed?

There is another more relevant question ... do you care if the signer was who they claimed to be?
For your online banking or on line shopping, it matters and you implicitly trust the CA root certificates you have installed.
For the Gentoo ISO, you need to make up your own mind if it matters or not.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
msulli1355
Apprentice
Apprentice


Joined: 24 Nov 2005
Posts: 179
Location: OKlahoma, USA

PostPosted: Sun Jul 03, 2016 2:23 pm    Post subject: Reply with quote

Actually the reason I asked this in the first place was because I was having trouble finding a Gentoo 64-bit LiveCD that booted for me. Eventually I gave up and used a Slack LiveUSB image, and then went through the Gentoo handbook to set up my system.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum