ISO images authenticity check: Signature does not check and no detached signature
A user brought to my attention that the gpg public key we provide (0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284) does not allow to gpg verify the checksum files associated with our ISO images. For instance, the checksum file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... will not be verified by `gpg --verify <iso dot sha256 dot file>`. As far as I understand, a detached signature file could be an alternative, using this time `gpg --verify <detached signature file> <iso dot sha256 dot file>`, but we won't provide one either. Does it mean that users cannot verify the authenticity of our ISO images as of now? Best, Adrien
Sorry, typo, I meant: "Does it mean that users cannot verify the authenticity of [the checksum files we associate to] our ISO images as of now?"
On 2020-12-29 21:33:54 +0100, adrien.glauser@gmail.com wrote:
A user brought to my attention that the gpg public key we provide (0x22C07BA534178CD02EFE22AAB88B2FD43DBDC284) does not allow to gpg verify the checksum files associated with our ISO images. For instance, the checksum file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... will not be verified by `gpg --verify <iso dot sha256 dot file>`.
Hmm that cannot work. The *.iso.sha256 file contains no signature.
As far as I understand, a detached signature file could be an alternative, using this time `gpg --verify <detached signature file> <iso dot sha256 dot file>`, but we won't provide one either.
We do. $> wget \ http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... $> gpg --verify \ openSUSE-Tumbleweed-KDE-Live-x86_64-Current.iso.sha256.asc \ openSUSE-Tumbleweed-KDE-Live-x86_64-Current.iso.sha256 ... should do the trick. Marcus
Hello Marcus, Thanks for stepping in. From your instructions plus some digging I was able to successfully authenticate the sha256 file I was testing. Nonetheless I think it's quite difficult for the new user (and I consider myself as such as far as this topic) to identify the recipe for authenticating sha256 files associated with our ISO images. In particular it's not trivial to identify the relevant .asc gpg signature that needs to be used to verify arbitrary images. In our toy example, the file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... is neither referenced or talked about anywhere from https://software.opensuse.org/distributions/tumbleweed. Only openSUSE's gpg public key is. In the spirit of improving the docs I've jotted down the few steps I went through doing this. Can you give it a look and confirm it's correct? I mean, I've tested it, but perhaps it is incorrectly phrased or using unnecessary steps. Here it is: https://etherpad.opensuse.org/p/gpg-verify-images Best, Adrien
On 30/12/2020 00.28, Adrien Glauser wrote:
Hello Marcus,
Thanks for stepping in. From your instructions plus some digging I was able to successfully authenticate the sha256 file I was testing.
Nonetheless I think it's quite difficult for the new user (and I consider myself as such as far as this topic) to identify the recipe for authenticating sha256 files associated with our ISO images. In particular it's not trivial to identify the relevant .asc gpg signature that needs to be used to verify arbitrary images. In our toy example, the file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... is neither referenced or talked about anywhere from https://software.opensuse.org/distributions/tumbleweed. Only openSUSE's gpg public key is.
<https://www.opensuse.org/> Install Tumbleweed links to: <https://software.opensuse.org/distributions/tumbleweed> Down the page, see paragraph «Verify Your Download Before Use» which mentions "For more help verifying your download please read Checksums Help" which links to <https://en.opensuse.org/SDB:Download_help#Checksums> which also mentions the GPG procedure, and gives an example for Tumbleweed Netinstall. I have not verified if the instructions are still correct or if they match your experience. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
30.12.2020 06:00, Carlos E. R. пишет:
On 30/12/2020 00.28, Adrien Glauser wrote:
Hello Marcus,
Thanks for stepping in. From your instructions plus some digging I was able to successfully authenticate the sha256 file I was testing.
Nonetheless I think it's quite difficult for the new user (and I consider myself as such as far as this topic) to identify the recipe for authenticating sha256 files associated with our ISO images. In particular it's not trivial to identify the relevant .asc gpg signature that needs to be used to verify arbitrary images. In our toy example, the file at http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-KDE-Live-x86... is neither referenced or talked about anywhere from https://software.opensuse.org/distributions/tumbleweed. Only openSUSE's gpg public key is.
Example in wiki (which is linked from software.o.o) mentions it, at least if you are lucky to be redirected to English version, but you really need to know what it is, so it is not helpful for most users.
<https://www.opensuse.org/> Install Tumbleweed links to: <https://software.opensuse.org/distributions/tumbleweed>
Down the page, see paragraph «Verify Your Download Before Use» which mentions "For more help verifying your download please read Checksums Help" which links to <https://en.opensuse.org/SDB:Download_help#Checksums> which also mentions the GPG procedure, and gives an example for Tumbleweed Netinstall.
I have not verified if the instructions are still correct
They are incomplete and do not match TW which changed from inline to detached signature. Moreover, example suddenly lists *.asc file although this file is not mentioned anywhere in description before. And even if wiki is corrected it does not change the fact that software.o.o does not link to *asc file. And that is where users expect to find all relevant links.
or if they match your experience.
Dear Carlos and Andrei, I agree with Andrei that the "SDB:Download_help#Checksums" wiki page is falling short on the points he has mentioned. Thanks for whoever edited https://etherpad.opensuse.org/p/gpg-verify-images, we're getting closer to user-friendliness. That last important point: How / where can users find the detached gpg signature ".asc" file matching ISO images? Best, and thanks for your comments, Adrien
Discussion moved there (https://github.com/openSUSE/openSUSE-docs-revamped/pull/40) for anyone interested.
With this last culprit: https://github.com/openSUSE/openSUSE-docs-revamped/pull/40#issuecomment-7552...
participants (5)
-
Adrien Glauser -
adrien.glauser@gmail.com
-
Andrei Borzenkov -
Carlos E. R. -
Marcus Hüwe