Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Where can I find .asc files?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
krotuss
Apprentice
Apprentice


Joined: 01 Aug 2008
Posts: 168

PostPosted: Sat Oct 05, 2019 5:52 pm    Post subject: Where can I find .asc files? Reply with quote

Hi,

I would like to install arm64 gentoo on my raspberry pi 4. Wiki article brought me here, but there are no *.DIGEST.asc files present. How can I verify integrity of downloaded files to make sure that my device will not join ranks of some botnet? Thanks.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45383
Location: 56N 3W

PostPosted: Sat Oct 05, 2019 6:05 pm    Post subject: Reply with quote

krotuss,

Get a stage3 and its matching DIGESTS file.
The DIGESTS file will contain something like
Code:
# SHA512 HASH
74b780db76a090581e666a229769c7efe7ab927de0323efb28258815b67a33f22c5cc47d26391062fe083196e4b4d1f6605999e5406c893a94cda2b600b76a6a  stage3-arm64-20190613.tar.bz2
# WHIRLPOOL HASH
55b71e18840321321c1c23059bdab17d10e28f3939e4e06d62061f62cf7f920ae84cced4f2adf4ba86f78a0d92c095fb2fc6d96580e600e93e6672d061d020b0  stage3-arm64-20190613.tar.bz2
# SHA512 HASH
2e7ea5c88a4ab0961cfe2eceb52667d1d9c9d922031bc901ef87ede06858f7100cf64449f421328aae1a65ea037b4007d301596bed03961537e066b52c7abb3d  stage3-arm64-20190613.tar.bz2.CONTENTS
# WHIRLPOOL HASH
cca1e67cbc2dc0934c1745ef1e2e23e30f3b9ed92aecdcd0c22cc434a8b46f04065343b6b54afe6d9d40d81e309f27e8581d2f46ad731ffa1676bb35c6b59447  stage3-arm64-20190613.tar.bz2.CONTENTS


Its been a while but something like
Code:
sha512sum -c <digest_file>
is what you need
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krotuss
Apprentice
Apprentice


Joined: 01 Aug 2008
Posts: 168

PostPosted: Sat Oct 05, 2019 6:19 pm    Post subject: Reply with quote

Thanks, but problem is that DIGEST file can also be compromised, especially if it is downloaded from the same source. It is purpose of DIGEST.asc file to provide means to verify integrity using gpg:

From wiki:
Code:

user $gpg --verify install-amd64-minimal-20141204.iso.DIGESTS.asc

gpg: Signature made Fri 05 Dec 2014 02:42:44 AM CET
gpg:                using RSA key 0xBB572E0E2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45383
Location: 56N 3W

PostPosted: Sat Oct 05, 2019 6:39 pm    Post subject: Reply with quote

krotuss,

That's a different problem.
DIGESTS is compressed, DIGESTS.asc is not.

Going back to your trust issue
Code:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
What would make you trust that gpg key?

I agree that both files can be compromised. Where does your trust start?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krotuss
Apprentice
Apprentice


Joined: 01 Aug 2008
Posts: 168

PostPosted: Sat Oct 05, 2019 6:59 pm    Post subject: Reply with quote

Both DIGEST and DIGEST.asc are plain ASCII text
stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.DIGESTS:
Code:
# SHA512 HASH
14be4bdadac378ef667f3fb4df922425d68a8f97ed30f45c11571dc7d285988f93770fb6bf923b60c8749219e178df4cfe9b98c8de4817af17decf9a8df5fb89  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz
# WHIRLPOOL HASH
c745f88492f7f76e7300314073f55cdaa324e249cc675586f599f7cc73935e1deab7332f9d48788637dff8c3260a9404d10296f15dce7746776fad555dcfac00  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz
# SHA512 HASH
a67f59adfa96499fabb66b4e7fd4218e4ecb149a22af9ca4a6b0b0bdfd1d3d750273691b33ea5278f1c670a62053fcc3b9d7eec2363947796bf82afeaf0b6de8  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.CONTENTS
# WHIRLPOOL HASH
734f8beaf9ac91e25192224a29d402b5ff6c65ae5a95cb82fcc40fecfc967732de6fc059e7797fdc2ecbd2b233e6df6e62c2df5a7acc8c561e87f618232e22d2  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.CONTENTS


stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.DIGESTS.asc:
Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# SHA512 HASH
14be4bdadac378ef667f3fb4df922425d68a8f97ed30f45c11571dc7d285988f93770fb6bf923b60c8749219e178df4cfe9b98c8de4817af17decf9a8df5fb89  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz
# WHIRLPOOL HASH
c745f88492f7f76e7300314073f55cdaa324e249cc675586f599f7cc73935e1deab7332f9d48788637dff8c3260a9404d10296f15dce7746776fad555dcfac00  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz
# SHA512 HASH
a67f59adfa96499fabb66b4e7fd4218e4ecb149a22af9ca4a6b0b0bdfd1d3d750273691b33ea5278f1c670a62053fcc3b9d7eec2363947796bf82afeaf0b6de8  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.CONTENTS
# WHIRLPOOL HASH
734f8beaf9ac91e25192224a29d402b5ff6c65ae5a95cb82fcc40fecfc967732de6fc059e7797fdc2ecbd2b233e6df6e62c2df5a7acc8c561e87f618232e22d2  stage3-amd64-hardened+nomultilib-20191002T214502Z.tar.xz.CONTENTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEU05CCatJ7uHBnZYWLERpXbn2BD0FAl2WRx4ACgkQLERpXbn2
BD2J2Qf9H3ofjDihDkBGFO8HHMn3U8WE1P2NAZnT1yWiqv+o3BqQBxN7TZfiwnyO
dmbDOS9JpiwCfKSrWT0IFxvn9pIsIMCvSTUucBxPkBvkyr2y32T8pmulXYVklMAE
0ImKES+oPY3+CUm47IFMeAwcsdbIojAs25EJ9Px/J2gmugS3q2Uw6NBHVNH1qADX
M4DHjC3piGJ2OTLJICP4vSyRI1UG3Elca2rcnL61eLIznCdpxCLyenV7Y1RiokH6
E8nC09H5Ypc/1bnrgvbrAi73LOUIRwHViYI3cnRkF0FA+b8DbIEhZJQz2W5zy3Xy
rLWAmjryxTWP6xxiLkcsCTfZnKjKXQ==
=VLOE
-----END PGP SIGNATURE-----


Fingerprint of key in question is (should be) published at gentoo.org website which is https and (I assume) under gentoo control. I understand that everything can be attacked and that there will always exist ultimate points of thrust (like in this case gentoo itself), but I would like to reduce (in this case by removing Oregon State University) possible attack surface as much as possible.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45383
Location: 56N 3W

PostPosted: Sat Oct 05, 2019 7:32 pm    Post subject: Reply with quote

krotuss,

There are lots of other mirrors, that should be copies of the master mirror.
Try comparing DIGESTS form several sources.
If they are not identical, there is a problem somewhere.

There is another approach too. Its possible to cross compile enough arm64 to boot a Pi, so you don't actually need a stage3 tarball at all.
The cross compiling approach exposes problems you won't find any other way.
I've done it once as at the time, there was no other way.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum