[INFO] Authenticity Check

Post tutorials, HOWTO's and other useful resources here.
Post Reply
Bogomips
Full of knowledge
Full of knowledge
Posts: 2563
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

[INFO] Authenticity Check

Post#1 by Bogomips » 08 May 2016, 13:28

brokenman wrote: Public signing key:
http://brokenman.porteus.org/gpg.asc

I've gpg signed all files in light of recent news about another distro having its ISO hijacked. For those are interested:

Code: Select all

# Make sure you have gnupg installed and you have the .asc files next to the files to be checked.
# Initiate your keyring
gpg --gen-key

# Add the Porteus key to your keyring
gpg --keyserver hkp://keys.gnupg.net --recv-keys 0xC8EFC784FD09B1D3

# Verify the signature
gpg --verify /pth/to/file.asc
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

Bogomips
Full of knowledge
Full of knowledge
Posts: 2563
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: [INFO] Authenticity Check

Post#2 by Bogomips » 08 Jun 2016, 15:22

GPG
  • Verify:

    Code: Select all

    for f in  <Path of Directory holding ISO files>/*.asc; do  gpg  --verify  $f;  done
  • Examplle:

    Code: Select all

    guest@porteus:~$ for f in  p10/tmp/iso/rc3/i586/*.asc; do time gpg --verify $f; done
    
    gpg: assuming signed data in `p10/tmp/iso/rc3/i586/Porteus-CINNAMON-v3.2rc3-i586.iso'
    gpg: Signature made Mon Jun  6 06:34:38 2016 CEST using RSA key ID FD09B1D3
    gpg: Good signature from "Jay Flood (Porteus file signing key) <brokenman@porteus.org>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 8C51 874B C5E9 AD17 A382  9F3F C8EF C784 FD09 B1D3
    
    Etcetera
MD5SUM
  • Check:

    Code: Select all

    cd  <Path of Directory holding ISO files>
    md5sum  -c  md5sums.txt
    
  • Example:

    Code: Select all

    cd  p10/tmp/iso/rc3/x86_64
    guest@porteus:~/p10/tmp/iso/rc3/x86_64$ md5sum -c md5sums.txt
    md5sum: ./bundles/guake-0.8.5-x86_64-cinnamon-1bundle.xzm: No such file or directory
    ./bundles/guake-0.8.5-x86_64-cinnamon-1bundle.xzm: FAILED open or read
    ...
    ./Porteus-XFCE-v3.2rc3-x86_64.iso.asc: OK
    ./Porteus-KDE-v3.2rc3-x86_64.iso.asc: OK
    ...
    ./Porteus-KDE-v3.2rc3-x86_64.iso: OK
    ./Porteus-MATE-v3.2rc3-x86_64.iso: OK
    ./Porteus-MATE-v3.2rc3-x86_64.iso.asc: OK
    ./Porteus-CINNAMON-v3.2rc3-x86_64.iso.asc: OK
    
    etc.
    
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

User avatar
francois
Contributor
Contributor
Posts: 5068
Joined: 28 Dec 2010, 14:25
Distribution: kde xfce porteus manjaro kubun
Location: Enfin l'été, le changement climatique attendu: le soleil.

Re: [INFO] Authenticity Check

Post#3 by francois » 24 Sep 2016, 19:02

Good procedure. How many of us uses it.
Voltaire: Le mieux est l'ennemi du bien.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5550
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: [INFO] Authenticity Check

Post#4 by brokenman » 24 Sep 2016, 22:49

Without fail. Especially when I am downloading a kernel or some other major package.
How do i become super user?
Wear your underpants on the outside and put on a cape.

Post Reply