Verifying debian images signatures and checksums

Verifying signatures

Debian's CD verification page doesn't explain how to find and use the keyring from the package.

This page will explain how to get the keyring package and use it to verify the gpg signatures for the checksum files if you are running debian. The directions will likely work for any debian-based distribution.

Install debian-keyring ( sudo apt install debian-keyring ). Also install gnupg if it isn't already installed ( see GnuPG sidebar for details ).

Debian packages install keyrings in /usr/share/keyrings/. debian-role-keys.gpg has the keys for signing CD images.

Note: rather than having dozens of files names SHA512SUMS, I rename them to match the source. For the examples here "debian-8.5.0-openstack" was prepended as they are from http://cdimage.debian.org/cdimage/openstack/8.5.0/.


$ gpg2 --keyring /usr/share/keyrings/debian-role-keys.gpg --verify debian-8.5.0-openstack.SHA512SUMS.sign
gpg: assuming signed data in 'debian-8.5.0-openstack.SHA512SUMS'
gpg: Signature made Thu Jun 9 19:39:03 2016 MST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
$


"Good signature from" is the output line we're looking for. The warning about the key not being certified with a trusted signature is OK in this circumstance. The package was signed and apt verifies the package signature before installing, so the key was verified even if you don't have a web of trust connection to it.

To test them all, use the following loop.


( for sum in MD5SUMS SHA1SUMS SHA256SUMS SHA512SUMS; do LANG=C gpg2 --keyring /usr/share/keyrings/debian-role-keys.gpg --verify debian-8.5.0-openstack.$sum.sign; done; )


If running something other than debian, then see debian's keyring page for how to get the keys.

Verifying checksums

To verify the checksums once you've verified the checksum files, run the appropriate checksum command against whichever checksum file you want to check ( see the Checksum sidebar for more information about checksums ).

The checksum files have checksums for several images that I didn't download, so this command grabs the image I'm interested in and checks its checksum.


$ grep debian-8.5.0-openstack-amd64.qcow2$ debian-8.5.0-openstack.SHA512SUMS | sha512sum -c
debian-8.5.0-openstack-amd64.qcow2: OK
$


The "OK" is what informs us that the checksum matched.


$ ( for cksum in sha512sum sha256sum sha1sum md5sum; do echo -n "$cksum "; ext=$( echo $cksum | tr 'a-z' 'A-Z' )S; grep debian-8.5.0-openstack-amd64.qcow2$ debian-8.5.0-openstack.$ext | $cksum -c; done )
sha512sum debian-8.5.0-openstack-amd64.qcow2: OK
sha256sum debian-8.5.0-openstack-amd64.qcow2: OK
sha1sum debian-8.5.0-openstack-amd64.qcow2: OK
md5sum debian-8.5.0-openstack-amd64.qcow2: OK
$


GnuPG sidebar

GnuPG is the name of the project. gnupg2 and gnupg are the names of the packages in debian. gpg2 and gpg are the main commands for the two releases.

Use the following commands to see if you have GnuPG installed:

type gpg2
type gpg

If neither of those can find a command, then install GnuPG, I recommend the gnupg2 packages.

sudo apt install gnupg2

Here's a short and incomplete summary of gnupg2 vs gnupg.

gnupg2 is the most recent version, so if you're starting out from nothing, just start with that.

For the server or cloud instance, gnupg has less dependencies and specifically doesn't depend on a gpg agent.


$ apt-cache show gnupg | grep ^Depends:
Depends: gpgv, libbz2-1.0, libc6 (>= 2.15), libreadline6 (>= 6.0), libusb-0.1-4 (>= 2:0.1.12), zlib1g (>= 1:1.1.4)
$



$ apt-cache show gnupg2 | grep ^Depends:
Depends: dpkg (>= 1.15.4) | install-info, gnupg-agent (= 2.0.26-6), libassuan0 (>= 2.0.1), libbz2-1.0, libc6 (>= 2.15), libcurl3-gnutls (>= 7.16.2), libgcrypt20 (>= 1.6.1), libgpg-error0 (>= 1.14), libksba8 (>= 1.2.0), libreadline6 (>= 6.0), zlib1g (>= 1:1.1.4)
$


Alternatively, gpgv can be used. It has less dependencies and smaller executable.


$ apt-cache show gpgv | grep ^Depends:
Depends: libbz2-1.0, libc6 (>= 2.14), zlib1g (>= 1:1.1.4)
$


If using gpgv, then it won't automagically determine which file to check.


$ gpgv --keyring /usr/share/keyrings/debian-role-keys.gpg debian-8.5.0-openstack.SHA512SUMS.sign debian-8.5.0-openstack.SHA512SUMS
gpgv: Signature made Thu Jun 9 19:39:03 2016 MST using RSA key ID 6294BE9B
gpgv: Good signature from "Debian CD signing key "
$


Checksum sidebar

A checksum is a one way fingerprint on a file. The key is that it's one way. You can consistently calculate the fingerprint from the file, but you can't use the fingerprint to figure out what file it came from.

Imagine looking at the shadow of something, except that you can't determine what is making the shadow from looking at the shadow.

Some checksums, such as md5, are no longer secure. It's possible to somewhat easily create new files that have the same md5 checksum as another file.

At this time it's better to use sha512sum.

It's also good to check multiple checksums. Using the shadow analogy, if you have multiple shadows ( first check for Vashta Nerada ), then it's more difficult to find a replacement object that will produce exactly the same shadows.

Comments

Comments can be made to identi.ca post or G+ post.