The process is such that you check the signature (.iso.sig file) which can only be made by the owner of the private key. If you apply the public key of the owner which is published on a trusted keyserver on a signature the numerical value of the .iso file will result. Only a matching public-private key pair will give the correct result. Therefore it is difficult to forge this. (You can read about Public Key Cryptography on Wikipedia, about RSA in particular. Honestly, I was amazed when I found out how it works. Also about possible attacks on it.)
Trying to verify signature of ISO is hell
What USB live program do you recommend for Manjaro?
From Windows: Rufus.
Ok Linux wiki needs more information. Like that you need to set terminal to location of sig and ISO. And you need to change the command to match the name of the ISO. No, it’s not obvious to everyone.
So I did exactly those two things. Using method 5.2 from wiki since that sounded more secure. I got the following error message.
gpg: assuming signed data in 'manjaro-kde-16.10.3-stable-x86_64.iso’
gpg: Signature made Sun 27 Nov 2016 11:53:35 AM UTC
gpg: using RSA key CAA6A59611C7F07E
gpg: issuer "philm@manjaro.org"
gpg: Can’t check signature: No public key
I see though a email address, did no one know that for helping me earlier using the window youtube method or won’t that email addy work for that? Anyway so what now, what am I doing wrong?
I agree with you. This is how I use to verify
1 Like
Where do I get this fingerprint from?
If I get a selection of signatures available, which should I use? You kinda trailed off there or something.
In your case it is CAA6A59611C7F07E.
OK, so that is the fingerprint I should use, but if there are multiple sigs to choose from, which one should I choose?
Agree, for me too.
I just verify it with:
sha256sum manjaro-xfce-openrc-16.03-i686.iso
OK so rufus is what I use for making a bootable USB, but I thought that was what was recommended for installing to hard drive from USB too. Can it to both? If so, can it do both from the same install? Or if not, what should I use to install Manjaro from USB drive onto SSD/hard drive, initially from windows 7?
That’s what Linux Mint users used to do as well (if anything at all), until their website got hacked and ISOs replaced by infected ones.
I never had this case. Use the one which makes sense, then the verification should work and you will know that you got the right one. Otherwise, read how to purge a key and import the other one.
OK, maybe I misunderstood the issue, but I though you are safe even in this case as long as signatures are not on the same server? Bad guy can replace the iso but not the signatures since they are coming from different sources?
- Download and verify the ISO. (done)
- Install and run Rufus.
- Select the ISO file in Rufus and the USB stick you want to write the ISO on.
- Reboot.
- Select in BIOS/UEFI to boot from USB stick. Save and exit.
- Boot with Manjaro USB to the live session.
- Launch the Installer from Applications Menu or Desktop or Welcome Window.
- Install to hard disk.
You might want to read the User Guide: https://downloads.sourceforge.net/manjarolinux/Manjaro-16.10.3-User-Guide.pdf It is also available on the live USB in the live session.
I was refering to SHA sums which were published with the fake release announcement and of course mathced the fake ISO. SHA and MD5 sums are not signatures, they are called message digests (therefore MD).
The bad guy can replace a .iso.sig file, but you will not be able to verify it with Philm’s public key from keyserver. The bad guy can create a public key under the name of Philip Müller, but not from Phil’s email address. He can use a similar looking email, therefore keep your eyes open when you import a signature. You can also check for higher security that the found public key is signed by other trusted public keys - other Manjaro or Arch guys.
2 Likes
In Rufus, do I choose “Create a bootable disk using ISO image” option?
I don’t have Rufus installed, please,refer to their How-To. But it sounds like it is the right option.
I see, thank you for explanation
Couldn’t a fake OS intercept whatever message from GPG and replace it with a “Good signature from…” message?
So I downloaded and installed into a live USB, Manjaro 64bit KDE. Then booted said live USB to verify the ISO.
Running gpg --search-keys FINGERPRINT results in seeming gibberish list of keys http://pastebin.com/1Qx9JaTc that a red flag?
I ran pacman-key --list-keys as advised in IRC and got this http://pastebin.com/AK1qnNC6
So then I ran gpg --recv-keys E4CDFE50A2DA85D58C8A8C70CAA6A5961
and got-
[quote]gpg: /home/manjaro/.gnupg/trustdb.gpg: trustdb created
gpg: key CAA6A59611C7F07E: public key “Philip Müller (Called Little) philm@manjaro.org” imported
gpg: no ultimately trusted keys found[/quote]
And then ran gpg --verify manjaro-kde-16.10.3-stable-x86_64.iso.sig
and got
[quote]gpg: assuming signed data in 'manjaro-kde-16.10.3-stable-x86_64.iso’
gpg: Signature made Sun 27 Nov 2016 05:53:35 AM CST
gpg: using RSA key CAA6A59611C7F07E
gpg: issuer "philm@manjaro.org"
gpg: Good signature from “Philip Müller (Called Little) philm@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A 8C70 CAA6 A596 11C7 F07E
[/quote]
Is this message about not being certified with a trusted signature, fine?
1 Like
Yeah, everything is fine. You simply should have run:
gpg --search-keys CAA6A59611C7F07E
Couldn’t a fake OS intercept whatever message from GPG and replace it with a “Good signature from…” message inside the terminal? I mean couldn’t a fake OS just give whatever terminal message it wants?
