Signed iso files

Message
Author
Belham
Posts: 25
Joined: Sun May 15, 2016 7:23 am

Re: Signed iso files

#21 Post by Belham »

Image

Hi all,

I did both CLI/Terminal and GPA (the GNU Privacy Assistant) and something is not making sense for MX-15 monthly downloads. With the thread here and also with the official MX-thread "how-to" on checking/verifying MX-15 .iso and .iso.sig files provided during download, am running into the following:

Please check this above screenshot of my screen showing you both CLI/terminal response and GPA's response when trying to check/verify:

1) First, anti-capitalista's public key ID is listed as "00067FDD" and not "4A0C4F9C" as provided in the detailed MX-15 Community Forum "How-to Wiki" (www.mepiscommunity.org/wiki/system/signed-iso-files) for verifying MX-15 ISOs. Also, how can two different public-keys, assigned to only one individual (anticapitalista), return the exact same "Primary Key Fingerprint"? This isn't supposed to be possible, unless, well, ---gulp----no need to go there yet (here's looking at you, Linux Mint). Then, as if the primary key fingerprint assigned to two different public keys isn't enough, it all seems to get weirder as how can this second thing be happening;

2) the downloaded files (I download the monthly ISOs--again, check the included pic attachment, for a shot of the files I downloaded) are being trying to be signed by Adrian and not anticapitalista. The MX-15 forum instructions specifically "anticapitalista" and not "Adrian 0679EE98" should be signing the ISOs. Furthermore, verifying through GPA kicks back that even Adrian's verification is "KEY NOT VALID". Why? At least Adrian's one public key is assigned to one primary key fingerprint, unlike anticapitalista's.

Any chance you guys can check what is going on? (if I've screwed the pooch about understanding this all, and done this wrong, apologies...but in my defense I've done, over the past years if not decade, many iso.sig and iso checks/verification, and I've never seen anything, at the least, like anticapitalista's of having two Primary Fingerprints assigned to same public key let alone ISO's being signed by "anticapitlista" but the iso.sig looking for verification from Adrain's.....heck, this is not even a sub-key issue where anticapitalista's weirdness is concerned).


(Also please know, the MX-15_Apr monthly md5 signature comes back clean, but honestly, as we all know, md5 is not so good or confident inspiring nowadays...sha256 at minimum is needed, and most should be migrating to sha512. The MX & Mepis forums not only need to move to HTTPS yesterday, but it is needed to get off of MD5 sum and hop-skip right over sha256 and head straight to sha512. Show us ya mean business, with both https and sha512)

Thanks for any replies about what is going on above!

P.S. I set up MX-15 in a secured, off-network, very isolated (it's own subnet network) inside a VirtuaBox no less, just to get a glimpse of how the OS looks. And the OS looks great, seems to me it is the one of the few who are heading towards that nirvana land that Debian users have been looking/craving for a long time, and where it would also appeals to newby Linux users too :happy: Before I use MX-15 full time and let her loose in my home, would very much like to hear the explanation of why the above is occurring during verification )

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Signed iso files

#22 Post by Jerry3904 »

Welcome to the Forum, and thanks for the detailed post!

I worked with a group of MX Devs to put together the MX-15 directions in the Wiki, and they were tested repeatedly by various individuals--and it all worked. I had nothing to do the antiX directions at the top of that same page, which were taken directly from a post by anticapitalista on the antiX Forum.

The Wiki entry for MX-15 supersedes the Forum discussion, as other ISOs besides those released by anticapitalista were included: as the MX-15 Wiki directions say at the end of Step 1
This will give you anticapitalista's key for the official releases, Adrian's key for the monthly updates, and Stevo's for the KDE and core remasters.
It appears that those directions still work:

Code: Select all

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C 0679EE98 F09C5B1C
gpg: requesting key 4A0C4F9C from hkp server keys.gnupg.net
gpg: requesting key 0679EE98 from hkp server keys.gnupg.net
gpg: requesting key F09C5B1C from hkp server keys.gnupg.net
gpg: key 00067FDD: "anticapitalista <antix@operamail.com>" not changed
gpg: key 0679EE98: "Adrian <adrian@mxlinux.org>" not changed
gpg: key F09C5B1C: "Steven Pusser (Stevo) <maintainer@mepiscommunity.org>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
And when I run the sig check on the April snapshot, I get this:

Code: Select all

jb@UTRA:~/Downloads
$ gpg --verify MX-15_Apr_x64.iso.sig 
gpg: assuming signed data in `MX-15_Apr_x64.iso'
gpg: Signature made Fri 15 Apr 2016 02:30:00 PM EDT using RSA key ID 0679EE98
gpg: Good signature from "Adrian <adrian@mxlinux.org>"
I wonder if your problem comes from the fact that you followed the directions for both antiX (Main) and antiX MX. If you are using MX, then perhaps purge all keys and start again with just the MX directions linked above?

If that is correct, we will need to add a warning to the Wiki entry.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

Belham
Posts: 25
Joined: Sun May 15, 2016 7:23 am

Re: Signed iso files

#23 Post by Belham »

Hi Jerry, thanks for responding so fast. Here's a new screenshot, take a look and tell me what you think. Please know, that for each screenshot (the one in my previous msg and also this one), I only followed directions, both times, in the "MX-15 Wiki" (that you also linked in your reply to me):

Image

The first question/anomaly, that was new to me, is that a public key (anticapitalista's) is different upon initial gpg request from the terminal. Heck, it even brings back a new public key. But is this maxim not true?: when a new public key is given, that act retires permanently the Primary Key Fingerprint from GNuPG that was associated with the old. As far as I knew (as was always under the impression from studying gpg), if an old key expires/lapses, so does the Primary Key Fingerprint associated with it, no ifs, ands, or buts. When you get a new public key, so is a new Primary Key Fingeprint generated. Yet, strangely, here, this is not the case. Two public keys, yet each showing the same Primary Key Fingerprint (try it, both of the public keys throw back the same Primary Key Fingerprint...I have honestly never seen that before). So, upon MX-15 monthly downloading & verification, this is/was the first Terminal anomaly I noticed.

The second anomaly is this: look at the Terminal in my screenshot: in Ubuntu, when trying to verify the ISO.sig file, there is no assumption that it is looking at the the paired ISO in the same folder. It won't assume anything. But I know in Debian, terminals there will throw back a "assuming signed data is..." reply (if you are in the same directory) even when it can actually find nothing in the iso.sig itself that tells it what/which ISO to look at (I may be mistaken, but has this not been part of the new attack vector(s) on download servers/repositories, deployed over the past year, to brutal effect?). What I mean is, those attack vectors actually modified the iso.sig files so that they only looked at themselves, and not the actual ISO, so the terminal reply came back with a "Good Signature" but this signature was not against the ISO (for whose downloads were being redirected to another near identical ISO within the same server farm, but impregnated with backdoors & monitoring software). The verification was only against the iso.sig itself, which was verifying nothing but itself. Additional strangeness was this: when running GPA (Gnu Privacy Assistant), when you give it an iso.sig file, it specifically grabs the ISO it sees and asks you if this is correct. Then, when you go to run the verification of the iso.sig against that iso, GPA rejected that the "MX-15_Apr_x64.iso" was signed by Adrian. See the screenshot. Or am I seeing things and understanding things wrongly?

I only am bringing this all up because of something that happened a few months ago to another linux distribution (and the download servers they were using). Their problem was only found out because of a few users who started noticing download verification irregularities. It doesn't mean there is a problem here, but it also can mean the opposite of that, which we both know would not be good news. I do hope I am mistaken here.

Sure would be interested in what you think about what is happening with the monthly download verification experienced above.

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Signed iso files

#24 Post by Jerry3904 »

Sorry, Belham, this is out of my league; somebody else will have to pick this up.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
Adrian
Developer
Posts: 8248
Joined: Wed Jul 12, 2006 1:42 am

Re: Signed iso files

#25 Post by Adrian »

Then, when you go to run the verification of the iso.sig against that iso, GPA rejected that the "MX-15_Apr_x64.iso" was signed by Adrian. See the screenshot. Or am I seeing things and understanding things wrongly?
That's not quite what it says, it just says that there's no guarantee that that key belongs to me because it's not certified with at trusted signature, that's normal, you'd need to sign my key or I should have my key signed by somebody you trust. I can tell you that the signature is correct for my key and if you trust this message you could just accept that on the face value, normally you'd need to get a confirmation offline or through a secure connection, I don't have a way to provide the signature offline or through a secure connection.

User avatar
m_pav
Developer
Posts: 1390
Joined: Sun Aug 06, 2006 3:02 pm

Re: Signed iso files

#26 Post by m_pav »

I'm getting nothing here

Code: Select all

michael@mikepav:~
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 4A0C4F9C 0679EE98 F09C5B1C
gpg: requesting key 4A0C4F9C from hkp server keys.gnupg.net
gpg: requesting key 0679EE98 from hkp server keys.gnupg.net
gpg: requesting key F09C5B1C from hkp server keys.gnupg.net
?: keys.gnupg.net: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
?: keys.gnupg.net: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
?: keys.gnupg.net: Host not found
gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Mike P

Regd Linux User #472293
(Daily) Lenovo T560, i7-6600U, 16GB, 2.0TB SSD, MX_ahs
(ManCave) AMD FX 6100 CPU, nVidia, 8Gb, 3.25TB mixed, MX_ahs
(Spare)2017 Macbook Air 7,2, 8GB, 256GB SSD, MX_ahs

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Signed iso files

#27 Post by Jerry3904 »

Googling that error message shows proxy or firewall can cause that.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

Belham
Posts: 25
Joined: Sun May 15, 2016 7:23 am

Re: Signed iso files

#28 Post by Belham »

Adrian wrote:
Then, when you go to run the verification of the iso.sig against that iso, GPA rejected that the "MX-15_Apr_x64.iso" was signed by Adrian. See the screenshot. Or am I seeing things and understanding things wrongly?
That's not quite what it says, it just says that there's no guarantee that that key belongs to me because it's not certified with at trusted signature, that's normal, you'd need to sign my key or I should have my key signed by somebody you trust. I can tell you that the signature is correct for my key and if you trust this message you could just accept that on the face value, normally you'd need to get a confirmation offline or through a secure connection, I don't have a way to provide the signature offline or through a secure connection.
Aw, crap, all day yesterday I thought I had signed your key, Adrian, with mine when I was running GPA. Of course I hadn't despite thinking I did. Ok, that is officially :bagoverhead:

Sorry, everyone. Sat myself down again and made sure I signed both Adrian's and Steven's keys with mine, in both GPA and in the terminal, ran everything once more & it all came back good sigs. When using and trying different Linux distros (I am a big Puppy user--Quirky64, Fatdog64, Tahr64 & Slacko64 shared among two old laptops, Ubuntu on two desktops, Debian-Jessie on another, Elementary OS for when I'm lazy).....I tend to forgo gpg checks/verification when I see both "https" and "sha 256 or 512" being used by the Linux distro for downloading the ISOs. I figure if the blackhats are good enough to crack the https & sha256/512 together, then anything else doesn't really matter...well, that's not true, it's just me being lazy again. :snail: Sure wish for peace-of-mind sakes that MX & MEPIS could go this https/sha512 route.

Anyhow, apologies to you both Steven & Adrian. After realizing my error this morning, getting the good sigs, I let loose MX-15 on one of the desktops (kicked Ubuntu off, happily) on my home network and well, am just really happy so far playing with it and using it. From the big touches like "MX Tools" (it's super, imho), to small touches like having the "colored" root terminal with save passwd to session, to the very nice choices in the programs, and of course to the stability of the OS (of course I am biased towards Debian) MX-15 just knocks other stuff like Linux-Lite, Elementary OS, Peppermint (don't flame me, Pepper gang!!) and others to the notches below best Linux running distro at the moment. Only thing I would like to see is a better stab at updates & packages mgmt---Synaptic is great for those of us who love Linux, but it still is intimidating for newbies----I know because of trying to get my family comfortable with using Synaptic on their desktops/laptops. To me, the Linux distro that figures out how to get people happily involved to search for new programs and install stuff, make them feel it is beyond easy and confident while doing it, is going to find themselves overwhelmed with new-come-from-Apple-Windows-worlds users.

Great job, guys.


P.s. M-Pav, if you're reading this, I second what Jerry said. Any time I've ever run GPG keyserver requests via the CLI I almost invariably have to do it several times. It's almost like key servers can't respond fast enough to CLI queries. On the flipside, a front-end GUI like Seahorse and/or GPA (which I also use), they seem to wait patiently until they get a response from any keyserver(s) for importing and/or exporting.

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Signed iso files

#29 Post by Jerry3904 »

Good, I'm glad that worked out.
Only thing I would like to see is a better stab at updates & packages mgmt---Synaptic is great for those of us who love Linux, but it still is intimidating for newbies----I know because of trying to get my family comfortable with using Synaptic on their desktops/laptops. To me, the Linux distro that figures out how to get people happily involved to search for new programs and install stuff, make them feel it is beyond easy and confident while doing it, is going to find themselves overwhelmed with new-come-from-Apple-Windows-worlds users.
Thanks for the feedback. Just so we understand where you are coming from, have you already become familiar with 1) apt-notifier (and the associated Check Apt GPG) in the Notification Area that flags you when there are updates to execute with a single click; and 2) MX Package Installer, where a single click again installs from a large list of popular packages?
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

Belham
Posts: 25
Joined: Sun May 15, 2016 7:23 am

Re: Signed iso files

#30 Post by Belham »

Jerry3904 wrote:Good, I'm glad that worked out.
Only thing I would like to see is a better stab at updates & packages mgmt---Synaptic is great for those of us who love Linux, but it still is intimidating for newbies----I know because of trying to get my family comfortable with using Synaptic on their desktops/laptops. To me, the Linux distro that figures out how to get people happily involved to search for new programs and install stuff, make them feel it is beyond easy and confident while doing it, is going to find themselves overwhelmed with new-come-from-Apple-Windows-worlds users.
Thanks for the feedback. Just so we understand where you are coming from, have you already become familiar with 1) apt-notifier (and the associated Check Apt GPG) in the Notification Area that flags you when there are updates to execute with a single click; and 2) MX Package Installer, where a single click again installs from a large list of popular packages?
Hi again, Jerry,

Speaking for myself, I think that even Arch is easy to setup and to use...haha. But for my family, on something as simple as watching them want to search for, then try to download, a new program, is a pain to watch on any Linux distro. They can do the updates no problem, though they get confused still with their password versus having to get the root (that I set for safety purposes and keep away from their machines, forcing them to get up & go get it). But, it's the searching and grabbing of new programs, then downloading them, fearful of firstly being overwhelmed by choices, some that are really confusing (I defy any newbie, who looks at a person's conky and goes "ooooh, I want that..." to know what to do when typing "conky" into either the Software Manager and/or Synaptic---too many frigging choices for them, with nothing really explained) and then if anything else popsup (here's looking at you, dependencies, lol), well let's just bury these newbies in the ground---cause they are going to run back to Windows and/or Apple.

Here was my better half wanting a new program for editing .png pics. She got tired of gimp always saving in its .xcf format if she forgot to do the clicks to get gimp to save it in .png. Plus GIMP being hard to use (to this day, GIMP is still a bear, even for experienced Linux users), so she had enough and went looking. She did her due diligence by reading various web review sites about other paint programs, and then decided to look in the package manager by typing "paint" and hit search, and then the Earth came crashing to a standstill in her brain. This is the first thing Linux is failing on when it comes to this area. We hard core users love choice and knowing what is needed to make that program run, so the more choices the package manager and/or synaptic brings back (along with dependencies), the better. But newbies and casual users to Linux absolutely do not like an abundance of choices, they abhor it to their very core. They've been corralled, coddled and handheld in the Windows and Apple worlds for two decades now, being told what to use, what not to use, just click this and shutup. that they've come to believe they never have to worry about making a choice. To them "choice" introduces such a seeming layer of complexity that it is a turnoff and anxiety generator to them. To you and me, we just can't understand this ostrich-sticking-your-head-in-the-sand mentality and being told what to use & what to do. We want choice, which the world of Linux gives us. The Microsoft/Apple world residers, they seem to be want told, for example, that only 1 or 2 programs at tops exist, and really you blabbering computer idiot, stop dithering & just download the one that we (read: Microsoft or Apple) tell you to download.

Maybe I am not explaining this process well enough. Anyhow, this all begs the question in how to bring these 85-90% users in the Microsoft/Apple world into the land of "choices" and "flexibility" that Linux offers, and that is NOT complexity, but in fact the opposite. And you know what I think the answer is for now? Stop giving new Linux newbies so many choices. Have a top layer program setup when the OS installs, where people click that they are a "newbie", and thus later on when they do searches for general areas of programs they want, the OS's package manager and/or synaptic only brings back 1-2 choices, and there's not one word mention of any dependencies. I know this sounds heretical to you and me, but for now, I believe this could work. Heck, the Linux Mint crew has been arguing this back and forth about how they should build a layer into the package manager which would hide or remove nearly all the choices brought back in general searches save for a few that they designate, but it never goes anywhere beyond talk. I do know this approach would bring up a whole host of issues for you, me, and everyone in the Linux world, but I just don't see a way around this problem of convincing people in the Microsoft/Apple world that freedom to choose, that choices, to be able to use & try nearly whatever you want (and be able to uninstall just as easily and try something else) is a good thing.

I don't know if I am making any sense here, hope so. It's been a long day. And of course it's Monday. :frown: Anyhow, the above is what I meant in my comment in the previous thread about package managers and/or synaptic.

Locked

Return to “General”