Trying to verify signature of ISO is hell

#19
  1. Download and verify the ISO. (done)
  2. Install and run Rufus.
  3. Select the ISO file in Rufus and the USB stick you want to write the ISO on.
  4. Reboot.
  5. Select in BIOS/UEFI to boot from USB stick. Save and exit.
  6. Boot with Manjaro USB to the live session.
  7. Launch the Installer from Applications Menu or Desktop or Welcome Window.
  8. Install to hard disk.

You might want to read the User Guide: https://downloads.sourceforge.net/manjarolinux/Manjaro-16.10.3-User-Guide.pdf It is also available on the live USB in the live session.

#20

I was refering to SHA sums which were published with the fake release announcement and of course mathced the fake ISO. SHA and MD5 sums are not signatures, they are called message digests (therefore MD).

The bad guy can replace a .iso.sig file, but you will not be able to verify it with Philm’s public key from keyserver. The bad guy can create a public key under the name of Philip Müller, but not from Phil’s email address. He can use a similar looking email, therefore keep your eyes open when you import a signature. You can also check for higher security that the found public key is signed by other trusted public keys - other Manjaro or Arch guys.

2 Likes
#21

In Rufus, do I choose “Create a bootable disk using ISO image” option?

#22

I don’t have Rufus installed, please,refer to their How-To. But it sounds like it is the right option.

#23

I see, thank you for explanation

#24

Couldn’t a fake OS intercept whatever message from GPG and replace it with a “Good signature from…” message?

So I downloaded and installed into a live USB, Manjaro 64bit KDE. Then booted said live USB to verify the ISO.

Running gpg --search-keys FINGERPRINT results in seeming gibberish list of keys http://pastebin.com/1Qx9JaTc that a red flag?

I ran pacman-key --list-keys as advised in IRC and got this http://pastebin.com/AK1qnNC6

So then I ran gpg --recv-keys E4CDFE50A2DA85D58C8A8C70CAA6A5961
and got-

[quote]gpg: /home/manjaro/.gnupg/trustdb.gpg: trustdb created
gpg: key CAA6A59611C7F07E: public key “Philip Müller (Called Little) philm@manjaro.org” imported
gpg: no ultimately trusted keys found[/quote]

And then ran gpg --verify manjaro-kde-16.10.3-stable-x86_64.iso.sig
and got

[quote]gpg: assuming signed data in 'manjaro-kde-16.10.3-stable-x86_64.iso’
gpg: Signature made Sun 27 Nov 2016 05:53:35 AM CST
gpg: using RSA key CAA6A59611C7F07E
gpg: issuer "philm@manjaro.org"
gpg: Good signature from “Philip Müller (Called Little) philm@manjaro.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E4CD FE50 A2DA 85D5 8C8A 8C70 CAA6 A596 11C7 F07E
[/quote]

Is this message about not being certified with a trusted signature, fine?

1 Like
#25

Yeah, everything is fine. You simply should have run:
gpg --search-keys CAA6A59611C7F07E

#26

Couldn’t a fake OS intercept whatever message from GPG and replace it with a “Good signature from…” message inside the terminal? I mean couldn’t a fake OS just give whatever terminal message it wants?

#27

A fake gpg program on a fake ISO might be a possible attack, but you could reinstall it from the mirror and then it should either not work,because package verification also is based on gpg or you would get a correct gpg program.

A better solution would be to install a gpg program on Windows and use it.
https://tails.boum.org/install/download/openpgp/#windows

#28

But couldn’t a fake OS just give what ever terminale message it wants? I mean, if it was a fake OS, couldn’t it have the terminal say the the signature is a pink elephant dancing the waltz in response to my check? Or for that matter, that it checks out.

#29

Not after a reinstall of the gnupg package.

#30

there is no need… once you have installed a “fake” or corruped OS why they would try to do that… they just need to replace all mirrors by their own mirror and add their keys in the installed system as trusted.

their is no “automaic” system that is secure. the user always have to trust something at the beginning. in the case of signature of the iso you will have to trust or at least check the public key of the developer that signed the iso (ckecking if the key is signed by other developper, asking the owner or the key if it’s really his key, etc).

of course it could, but it would be easy to see that it does not work as expected.

#31

Please instruct me how to reinstall gnupg package, should I uninstall the previous one first?

As far as checking through windows, if you look at my OP, you will see I asked about doing just that, and you never responded. I even had a youtube video I was trying to follow, but got stuck on and I was asking for help, and I was completely ignored in that regard. I am using the USB live right now, but I will try Klepatra yet again latter, I expect I will run into more stumbling blocks and walls in that regard though.

#32

Then are you saying Eugen is wrong about it being reliable to use a ISO from a live USB to verify itself?

#33

if you use as live enviroment the same iso as the one you want to verify… it’s not the best idea even you could by verifying yourself the public or installing gpg from a trusted source.

#34

Sorry, that it took so long. Maybe a video about a program is not the best source of information. You should have read a How-To for gpg4win.

My method should not be seen as an official method if you have very high security requirements and little knowledge (so you wouldn’t see that gpg behaves strange on the ISO).
@scachemaille is right that the fake ISO might have fake mirrors and fake manjaro-keyring and archlinux-keyring and therefore a reinstall of gnupg can give you a fake package. Sorry, my mistake! :dizzy_face:

The advise here is free and “can kill your cat”. :wink: Sorry again!

1 Like
#35

To cut a long story short, here is what the link from Tails distro links to for checking signatures with gpg4win:
https://www.gpg4win.org/doc/en/gpg4win-compendium_24.html#id4

#36

So more value to sigs originated from a incident with Mint where the site was hijacked and fake ISOs delivered, right? But this was discovered in hours, right?

So if anything like this were to happen in Majaro, it would also be discovered quick, right? Majaro is at least as big as Mint?

So the fact that I downloaded this days ago and there has been no news of anything untoward happening with Majaro is itself pretty good insurance that my ISO is safe, correct?

#37

Even quicker, in minutes, because quite a lot of Manjaro users are checking the ISO signatures.
And practically speaking it is quite safe to trust the other users. But the stable ISO is quite old, so I wouldn’t bet it was checked recently by anybody… New ISOs get checked with high probability.

If you don’t manage to check the ISO signature on Windows you can try the following:

See this list of manjaro mirrors http://repo.manjaro.org/
Select a mirror close to your place and download the gnupg package from a mirror on the list and then install the local package:

wget https://repo.stdout.net/manjaro/stable/core/x86_64/gnupg-2.1.18-1-x86_64.pkg.tar.xz
sudo pacman -U gnupg-2.1.18-1-x86_64.pkg.tar.xz

and run the verification commands which you already know.

#38

Let’s say the ISO was fake, but the gnupg package was good. You enter gpg --verify manjaro-kde-16.10.3-stable-x86_64.iso.sig, gnupg knows the package doesnt check out, but couldn’t the fake OS still give the etc. gpg: Good signature from “Philip Müller (Called Little) philm@manjaro.org” [unknown] etc. message? Like where the OS replaces one message with another? Why they could do this is because then they dont need to worry about replaced mirrors and stuff. That way even those bothering to directly download packages can be fooled.

So about the stable verses developmental versions. So do most people just download the developmental versions? How dated and out of current are stable releases? How unstable or buggy is developmental version?

Forum kindly sponsored by