Trying to verify signature of ISO is hell

#1

One confusing point, does PGP, GPG and signature all mean the same thing?

First obstacle. Instructions for Linux on the Manjaro page are lacking. The guide mentions nothing at all about signatures/PGP, so all I have for a guide is.

"How to verify our install medias

Please read the according chapter (from page 19 onwards) in our Manjaro Beginners Guide on how to verify your downloaded install media. Beginning with our 16.06.1 release, we also provide gpg verifcation. Therefore you need to get the developer signatures from Manjaro.

Example:

wget github.com/manjaro/packages-core/raw/master/manjaro-keyring/manjaro.gpg
gpg --import manjaro.gpg
gpg --verify manjaro-xfce-16.10.3-stable-x86_64.iso.sig

And https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images
First one is definitely too hard to understand, and second one requires linux to even try. I tried Cygwin as recommended in IRC, but the commands listed in wiki do not work in cygwin.

I have tried using these instructions here using gpg4win.org which was a program mentioned in IRC
www.youtube.com/watch?v=Go7CBYWosLc
But struggled with a few points of the video.
At 10:30 or so it talks about getting a email address for certificate extraction, but the ISO has no such tab/email address.
at 15:05 or so, it talks about comparing public keys for verifying the certificate, I see no such thing for the Manjaro ISO

So if someone can please help me get the method mentioned in the video to work or tell me another way, it would be appreciated.

1 Like
#2

You could maybe try installing wget in cygwin; I do not see why that should not work. Also, now you are shifting the trust onto github.

#3

Verify the ISO from Live USB.

#4

rhg135, not sure what you mean but none of the linux instructions worked on cygwin. And I don’t know what you mean with github.

Eugen, so use the install to verify the install? If the ISO IS compromised, wouldn’t that mean it would fake verifications too?

Can anyone please provide a bit more direct help? It is shocking how little everyone seems to know about this subject, surely some developers are hanging around that do these sigs that might know all about it? Please come visit! Is there perhaps a more direct way to contact them if they don’t come to the forums often?

#5

No, it is too difficult to compromise GPG and the underlying mathematics.
You can update/reinstall the GPG package in live environment to be sure.
Otherwise do some search how to check a signature in Windows, there must be a plenty of tools for that.

#6

Maybe the process itself is too difficult to compromise, but couldn’t someone know the PGP/GPG of their fake ISO and cause the output to give the same value? Or even just case a “verified” screen" when its not? How am I suppose to know differently considering there are no keys to compare that I understand.

#7

The process is such that you check the signature (.iso.sig file) which can only be made by the owner of the private key. If you apply the public key of the owner which is published on a trusted keyserver on a signature the numerical value of the .iso file will result. Only a matching public-private key pair will give the correct result. Therefore it is difficult to forge this. (You can read about Public Key Cryptography on Wikipedia, about RSA in particular. Honestly, I was amazed when I found out how it works. Also about possible attacks on it.)

#8

What USB live program do you recommend for Manjaro?

#9

From Windows: Rufus.

#10

Ok Linux wiki needs more information. Like that you need to set terminal to location of sig and ISO. And you need to change the command to match the name of the ISO. No, it’s not obvious to everyone.

So I did exactly those two things. Using method 5.2 from wiki since that sounded more secure. I got the following error message.

gpg: assuming signed data in 'manjaro-kde-16.10.3-stable-x86_64.iso’
gpg: Signature made Sun 27 Nov 2016 11:53:35 AM UTC
gpg: using RSA key CAA6A59611C7F07E
gpg: issuer "philm@manjaro.org"
gpg: Can’t check signature: No public key

I see though a email address, did no one know that for helping me earlier using the window youtube method or won’t that email addy work for that? Anyway so what now, what am I doing wrong?

#11

I agree with you. This is how I use to verify

1 Like
#12

Where do I get this fingerprint from?

If I get a selection of signatures available, which should I use? You kinda trailed off there or something.

#13

In your case it is CAA6A59611C7F07E.

#14

OK, so that is the fingerprint I should use, but if there are multiple sigs to choose from, which one should I choose?

#15

Agree, for me too.
I just verify it with:
sha256sum manjaro-xfce-openrc-16.03-i686.iso

#16

OK so rufus is what I use for making a bootable USB, but I thought that was what was recommended for installing to hard drive from USB too. Can it to both? If so, can it do both from the same install? Or if not, what should I use to install Manjaro from USB drive onto SSD/hard drive, initially from windows 7?

#17

That’s what Linux Mint users used to do as well (if anything at all), until their website got hacked and ISOs replaced by infected ones.

I never had this case. Use the one which makes sense, then the verification should work and you will know that you got the right one. Otherwise, read how to purge a key and import the other one.

#18

OK, maybe I misunderstood the issue, but I though you are safe even in this case as long as signatures are not on the same server? Bad guy can replace the iso but not the signatures since they are coming from different sources?

#19
  1. Download and verify the ISO. (done)
  2. Install and run Rufus.
  3. Select the ISO file in Rufus and the USB stick you want to write the ISO on.
  4. Reboot.
  5. Select in BIOS/UEFI to boot from USB stick. Save and exit.
  6. Boot with Manjaro USB to the live session.
  7. Launch the Installer from Applications Menu or Desktop or Welcome Window.
  8. Install to hard disk.

You might want to read the User Guide: https://downloads.sourceforge.net/manjarolinux/Manjaro-16.10.3-User-Guide.pdf It is also available on the live USB in the live session.

#20

I was refering to SHA sums which were published with the fake release announcement and of course mathced the fake ISO. SHA and MD5 sums are not signatures, they are called message digests (therefore MD).

The bad guy can replace a .iso.sig file, but you will not be able to verify it with Philm’s public key from keyserver. The bad guy can create a public key under the name of Philip Müller, but not from Phil’s email address. He can use a similar looking email, therefore keep your eyes open when you import a signature. You can also check for higher security that the found public key is signed by other trusted public keys - other Manjaro or Arch guys.

2 Likes

Forum kindly sponsored by