How to verify iso image on Windows?

Hi, I have downloaded Manjaro and SHA1 is OK. I would like to check the .sig file. I have only a Wndows 10 here, i have gpg4win installed (kleopatra, extension for context menu …).
I have read the manual of GNUPG and your forums.
I have also read how to verify ISO images in the wiki.

Just a question in advance. maybe it is answered in manuals, but I ask here.
How do I know that the imported keys from the keyservers (gitlab etc) are valid/trustworthy? In reality I cannot be 100% sure, correct? I just want to learn the theory behnd this.
Any good explanations (website, youtube?)

Iso file and .sig file are in the same directory.
(translated from German)
Attempt 1:
I right click the .iso file and “check and verify” end in result:
“Files cannot be checked. Signature created on … with unknown certificate. You can search for certificate on keyserver …”
“signature cannot be checked. No public key”

Attempt 2:
I downloaded manjaro.gpg (from gitlab) and imported it in kleopatra.
I still get a message:
“Files cannot be checked. Signature created on … with certificate Manjaro Build Server …”. You can search for certificate on keyserver …

What Do I have to do now to be secure?

Thank you.

Probably the easiest way would be to use the SHA hash…
For some reason it looks like we publish sha1…
( see for example https://manjaro.org/downloads/official/kde/ )

Which means in windoze you can go to GnuPG - Download
And download Gpg4win.

Then you should be able to run through cmd :

CertUtil -hashfile filename.iso SHA1

As I mentioned, SHA1 is OK. I know that certutil command in Windows.

Why don’t you provide SHA256?
What about my core questions?

p7zip adds hash check to context menu on windows file manager

But I need the SHA256 checksum anyway.

Yeah, oops.

No idea. SHA1 is virtually useless.

Thanks so far.
Could anyone please help out about verifying the .sig.

I think they explain how to do it on Windows in detail in Tails documentation.

@eugen-b No, they don’t have. Useless for me. They say:

We removed the instructions to verify downloads with OpenPGP because: […] We still explain how to verify our signing key using the OpenPGP Web of Trust in the [installation instructions from Debian, Ubuntu, or Mint using the command line and GnuPG]

No Windows stuff.

Well bad luck, maybe ask on a Windows forum.

https://superuser.com/questions/1268544/how-to-verify-a-download-file-using-a-sig-file-and-public-key-in-windows-10

I know that, thanks. I have tried the command shell in windows via gpg command, but still a bit confused.

I use Get-Filehash on Windows PowerShell. But I don’t know know about gpg.

Hi unixoid,

Your core questions about validating imported public keys is a deep security topic and it’s a really good question not many people realize.

Your core question is a security topic of Proof of Identity and this is closely related to the security topic of Authenticity.

What you’re doing by verifying the ISO with GPG key manjaro.gpg from the Manjaro gitlab is the concept of Authenticity.

How you make sure if the manjaro.gpg is really the public key from Manjaro (not being tampered during your download or just being a fake public key) is the concept of Proof of Identity.

In the simplest explanation, you can achieve Proof of Identity by:

  • Having a trustworthy entity that has its own signature verifying public key securely transferred (to be specific, not tampered) to many computers.
  • Ask that entity to sign your public key (in this case, your public key is a signature verifying public key) with the entity signature signing private key.
  • The trustworthy entity checks your identity in the real life, whether you are who you’re claiming to be (like checking your national identity card, etc).
  • You upload your signed public key along with the computed signature to some server.
  • Other people download your signed public key with the signature.
  • Other people make sure your public key is really from you and hasn’t been tampered in the download process by verifying the signature of your public key with the entity signature verifying public key that has been securely transferred beforehand.

In modern computer system, Proof of Identity is implemented as Public Key Infrastructure (PKI), the public key in PKI is in the form of Certificate. Certificate is a public key along with the user information and the trustworthy entity (who signs the public key) information.

The trustworthy entity is called Certificate Authority (CA) and the trustworthy entity certificate (signature verifying public key) is called Certificate Authority (CA) Certificate.

Your certificate (your public key) is signed by the CA’s signature signing private key.

In Windows and GNU/Linux, these CA certificates are already there during the OS installation, whether you install from live-CD/USB or the OS is already there when you buy from an OEM. Windows and GNU/Linux are responsible to ensure the CA certificates are transferred securely (to be specific, not being tampered) to the OS.

Web browser TLS protocol uses PKI to satisfy Proof of Identity of a target server.

Another Proof of Identity implementation is Web of Trust.

This is what GPG is based on.

In Web of Trust, the trusted entity can be any person and it’s up to you which persons you want to trust.

And anyone can ask anyone to sign their public key. It’s up to the signer how they validate your identity (ex by asking your national identity card, etc); whether you’re really who you’re claiming to be.

In reality, Web of Trust is kind of hard to implement; since the trusted entity is relative to anyone, this raise a question on how to securely transfer the trusted entity signature verifying public key to your computer.

Web of Trust isn’t popular as far as I know and it’s only there in PGP.

So in your case that the verification message:

“Files cannot be checked. Signature created on … with certificate Manjaro Build Server …”. You can search for certificate on keyserver …

Means that the gpg4win cannot verify the signature provided along with the manjaro.gpg; gpg4win cannot find the entity’s public key you trust.

Remember that gpg4win is a system of Web of Trust, not PKI.

I don’t remember how to perform these kind of Proof of Identity settings in GPG. Most of every day life, I use PKI system, like OpenSSL.

In general, you can just verify the Manjaro ISO with the manjaro.gpg without ever needed to verify the signature provided along with the manjaro.gpg. This is because when you download manjaro.gpg, you already use Transport Layer Security (TLS) protocol to download, and TLS already provides Proof of Identity (assuming the it’s the Manjaro admin who uploads the correct manjaro.gpg key and not somebody else). The Proof of Identity from TLS has something to do with the web page you’re trying to connect and it has nothing to do with the downloaded gpg key; the web broswer verifies the validity of the server you’re trying to connect by CA certificates. But, you can somewhat infer with moderate confidence, that since the web page really comes from GitLab and Manjaro handles the key, the key is really from Manjaro and hasn’t been tampered when you’re downloading it (TLS 1.2 - 1.3 provides confidentiality, authenticity, integrity, and proof of identity).

Overall this is only an over simplification explanation of TLS, Authenticity, Proof of Identity, Certificate, PKI, and Web of Trust. The topic itself is very big, and from my experience, not something you can easily learn from the internet (Wikipedia is the best so far for this topic). From my experience, this is something to be learnt from scattered textbooks and a daily basis of a security professional.

2 Likes

Hi @JiaZhang !
I appreciate all your answers, especially yours, @JiaZhang .
Your answer was very time consuming (for you), I guess. You are right, security is a difficult topic, very abstract. You reminded me, that manjaro is downloaded via https (secure), centOS, e.g. only over http with no key symbol in browser.
I just wanted to learn, of course I trust the websites of manjaro.

Kind regards!