Question

8

verifiying ubuntu iso with repository gpg-keys

rated 0 times [ 8] [ 0] / answers: 1 / hits: 7776 / 3 Years ago, tue, november 23, 2021, 12:47:48

I want to verify that a downloaded ISO is not being poisoned by the NSA or any other immoral agent. To do this I would very much use a signing-checking way.

I am aware of VerifyIsoHowto. Still I am not very happy with offered. If some agent can manipulate one file download he surely can manipulate all file downloads. So the public key I get from a key-server can just be cheated to make the manipulated ISO file check okay, while indeed it has been injected a rootkit or worse.

Now I am aware of that there is unfortunatelly no 100% sure way. But starting with the assumption that my current system is safe I have those keys used in the SecureApt mechanism.

My Question therefore:

How can the keys that I already trust in SecureApt (= the ordinary Ubuntu repository keys) be used to verify a freshly downloaded ISO?

Indeed it would serve me well also if I could via the Ubuntu Repo (and hence in a deb that is verified implicitly via SecureApt) get those public keys which would be necessary to verify the signature of the iso.

Any help would be greatly appreciated.

PS: of course I am aware that if Canonical is immoral and colaborates with NSA (which has money hey) we are all poisend anyhow. Let's just assume something like this could never happen, ok?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ravturtl

Add To Favorites

Follow

Total Points: 335

Total Questions: 132

Total Answers: 110

Location: Tanzania

Member since Wed, Feb 24, 2021

3 Years ago

answered 3 Years ago strhen · Accepted Answer

The following steps allow you to verify the SHA256SUMS file for the downloaded Ubuntu iso:

Open Terminal (CTRL+ALT+T)

Import the keys from /usr/share/keyrings/ubuntu-archive-keyring.gpg via gpg --import /usr/share/keyrings/ubuntu-archive-keyring.gpg. You should see something like this:



gpg: keyring `/root/.gnupg/secring.gpg' created

gpg: key 437D05B5: public key "Ubuntu Archive Automatic Signing Key " imported

gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported

gpg: Total number processed: 2

gpg:               imported: 2

gpg: no ultimately trusted keys found

The line



gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported

shows you that you imported the GPG key for signing CD images (iso files) is the one with the following fingerprint:

Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

and hence the ID FBB7 5451

Having imported the key you can then download the files SHA256SUMS, MD5SUMS, SHA1SUMS and their respective signatures *SHA256SUMS.gpg, MD5SUMS.gpg

Now you can use this command gpg --verify SHA256SUMS.gpg SHA256SUMS to check if the file SHA256SUMS is legitimate. If so then you should see something like this:



gpg: Signature made Thu 14 Feb 2013 06:38:41 PM CET using DSA key ID FBB75451

gpg: Good signature from "Ubuntu CD Image Automatic Signing Key "

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451

If the SHA256SUMS file has been altered then something like this will appear instead:



gpg: Signature made Thu 14 Feb 2013 06:38:41 PM CET using DSA key ID FBB75451

gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key "

Basically, instead of following step 2 in the howto referred to in the question and getting the key from the keyserver, which may have been compromised, you use the key provided with your existing Ubuntu installation that you trust.