UPDATE: Newbie Question on Verifying with GPG


#1

EDIT: I have made some progress, but to avoid double-posting, I am adding it here. See my original post below, and then the update. Thanks for your time!

Original Post

This text will be hidden
Hey, everyone. Been doing a lot of reading, but new to GPG and struggling to figure out how to verify the PureOS iso I downloaded. Would appreciate any help on what to fix in my process. Here’s what I’ve done so far:

  1. Checked that the iso I downloaded matches the sha256 sum given on the download page.

  2. Went to the github page and downloaded the keys.

  3. Checked that the md5 given in md5sums.txt matches the md5 generated from pureos-archive-keyring.gpg. It does.

Now I’m lost at this step and unsure how to connect steps 1 with 2 and 3. Do I use the gpg file to verify the iso? I tried running the following:

gpg --verify pureos-archive-keyring.gpg pureos-8.0-live-amd64.hybrid.iso

but this gives me the following error message:

gpg: verify signatures failed: Unexpected error

I’m probably just missing something obvious here. Would really appreciate anyone’s time in helping me out/directing me to other resources.

Update: it seems that what I have is the PureOS keyring, but nothing to verify it with. I eventually found the https://downloads.puri.sm/ URL, which, under snapshots, gives me an actual file with the sha256 sums (as opposed to them being displayed on the other downloads page). I thought I might be able to use the keyring to verify this file, but again, I get an error.

I’m starting to second-guess myself, but I am correct to think that I should be able to verify with GPG the checksums I used to verify the iso, right?


#2

You can use the sha256sum signature below the download button, and follow this tutorial to check it.


#3

Thanks for your reply, vrata. I do see the checksum below the download button, but I can’t find its accompanying signature (step 2 on the tutorial you linked), which seems to be the problem.

Perhaps this is a case, like the tutorial mentioned, in which there is none. I assumed it was more likely there was one that I couldn’t find, given that they have the keyring available on the github page.


#4

So if you download the ISO file you can run the command

sha256sum /path/to/file.iso

to get a sha256sum signature which should be:

d43250d193aac18f337b333ebb326d63b0d5176a2d535426ff701e32a8885dad

as listed on the donwload page. You can also save the above signature to a tex file and use that to check the ISO file,

sha256sum --check signature.txt /path/to/file.iso


#5

Some terminology I will use:

A checksum is a hash value of a file, in this case the released iso file.
A signature means a cryptographic signature according to some cryptographic signature algorithm (commonly using th ersa cryptosystem see for instance https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Signing_messages).

What SR388 was asking about was IMHO a cryptographic signature using Purisms key (e.g. one key in the keyring) of the sha256 hashs found on the download page. As far as I know such a signature does not exist, it is thus essentially impossible to verify the integrity of the downloaded iso file (see also my comment at Security concerns with PureOs repos (and website)), the hashs only serve as a means to detect a non-maliciously corrupted download.


#6

ok, sorry if I use the wrong terminology, however I also realise that the link for PureOS does not work, its currently pointing to:

https://downloads.puri.sm/snapshots/2017-12-29/pureos-8.0-live-amd64.hybrid.iso

which looks like an older update, while the latest under

https://downloads.puri.sm/snapshots/

is 2018-01-06, and you have both the checksum and ISO you can download.

I downloaded the ISO file and checked the sha256sum signature,

$ sha256sum Downloads/pureos-8.0-live-amd64.hybrid.iso 

371595232aba38cd7808aa61c1e3a1206d4ea709214111ae9c44601868cdb23f Downloads/pureos-8.0-live-amd64.hybrid.iso

and it matches with the value in the checksum file.

PS: pursim has fixed the download linked


#7

Hi, guys. Thank you for your replies.

Yes, this is what I was asking about. When I learned about verifying ISOs and checksums (remember, I’m just a hobbyist), I read that checksums by themselves only tell you about the integrity of your download (that it wasn’t intercepted). If a hacker is able to swap out the ISO with a tampered one, it is a trivial step to change the listed checksums as well. To combat this, PureOS should have a cryptographic signature hosted on an external website that verifies a .txt file containing the checksum (so that the attack would need to encompass two websites).

Glad to see this is being discussed on the other thread, @kV1x_2xx. Hopefully a signature system is implemented. Thank you @vrata for putting together this nice guide on verifying the checksums.


#8

Glad to see this is being discussed on the other thread, @kV1x_2xx. Hopefully a signature system is implemented. Thank you @vrata for putting together this nice guide on verifying the checksums.

Yes, there is also a issue I opened in PureOS tracker about missing signature of ISO file/checksums of it.
https://tracker.pureos.net/T116