PDA

View Full Version : Can't get public key to verify ISO



shmu26
April 27th, 2020, 12:31 PM
Hi, trying to verify the latest Kubuntu
I run

gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 23 Apr 2020 16:33:56 IDT
gpg: using RSA key D94AA3F0EFE21092
gpg: Can't check signature: No public key


Then I run

gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys D94AA3F0EFE21092
gpg: [don't know]: invalid packet (ctb=3e)
gpg: read_block: read error: Invalid packet
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0


What am I doing wrong

TheFu
April 27th, 2020, 01:40 PM
Why not just download the SHA256sum file, run sha256sum path-to-kubuntu.iso and compare the outputs either manually or using diff?

shmu26
April 27th, 2020, 01:55 PM
Why not just download the SHA256sum file, run sha256sum path-to-kubuntu.iso and compare the outputs either manually or using diff?

I did that already. So I know the iso I downloaded is complete and uncorrupted. Now I want to verify the authenticity of the iso, meaning, that it came from canonical and not from a malcoder.

Don't people do that? Am I overly paranoid?

CelticWarrior
April 27th, 2020, 03:40 PM
Am I overly paranoid?

If you downloaded it from the official website, I would say yes, you are.

mörgæs
April 27th, 2020, 03:47 PM
If the sha256 or md5 hash value is correct then it doesn't matter from where the ISO comes. The preferred way to download is from a torrent.

I don't think I have ever heard of tampered-with Buntu ISO's.

TheFu
April 27th, 2020, 04:06 PM
I did that already. So I know the iso I downloaded is complete and uncorrupted. Now I want to verify the authenticity of the iso, meaning, that it came from canonical and not from a malcoder.

Don't people do that? Am I overly paranoid?

Guess I’d ask what would you do if the sha256 matches, but the gpg doesn't? md5 isn't nearly as compelling since researchers have been able to generate files that to collide with specific md5 hashes.

I’m pretty paranoid too. There is a point where trust comes in. Someone would need to hack the distro server, perhaps a number of mirrors, repackage the iso, modifying the built-in sha256sum and modifying both files on the distribution system. After being able to do that, seems like hacking into the system with the gpg signature tools wouldn't be hard.

OTOH, I’m happy that _someone_ is doing the gpg validation beyond what APT does with every package that gets installed.

shmu26
April 27th, 2020, 04:54 PM
I agree that it's a paranoid stance to check gpg, but Mint was hacked a few years ago and offered tainted ISOs for download. The hackers posted the checksum of the tainted ISO, since they owned the server anyway, so you would never know.

mörgæs
April 27th, 2020, 09:34 PM
True but it lasted only a day before the breach was discovered.
It's fine to do the hash sum testing but in general I would say that other risks are more important.