Verifying ISO-Images

About signing

All official openSUSE released RPMs and ISO images are signed by with the official “SuSE Package Signing Key <build@suse.de>”.

You should download the *.asc signatures and *.sha1 hashes directly from the download.opensuse.org server. This is to help ensure the integrity of the signature files.

The public key can also be downloaded from any key server (e.g., blackhole.pca.dfn.de).

Checking Signatures

The following example details how signature interaction works. In this example, you are already assumed to have downloaded the latest openSUSE ISO image “openSUSE-11.1-DVD-i386.iso” and “openSUSE-11.1-DVD-i386.asc” (the detached signature).

This example uses the GNU Privacy Guard. Any OpenPGP-compliant program should work successfully.

First, we will check the detached signature (openSUSE-11.1-DVD-i386.asc) against our released ISO file (openSUSE-11.1-DVD-i386.iso):

% gpg openSUSE-11.1-DVD-i386.asc

gpg: Signature made Sat Dec 10 07:21:28 2008 PST using DSA key ID 9C800ACA

gpg: Can’t check signature: public key not found

If this message appears, you don’t have the SuSE Package Signing Key installed in your keyring. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface). The public key servers are linked together, so you should be able to connect to any key server.

% gpg –keyserver pgpkeys.mit.edu –recv-key 9C800ACA

gpg: requesting key 9C800ACA from HKP keyserver pgpkeys.mit.edu gpg: trustdb created gpg: key 9C800ACA: public key “SuSE Package Signing Key <build@suse.de>” imported gpg: Total number processed: 1

gpg: imported: 1

In this example, you have now received the public key for all official openSUSE released files. However, you have no way of verifying this key was created by the openSUSE Team. But, let’s try to verify the release signature again:

% gpg openSUSE-11.1-DVD-i386.asc

gpg: Signature made Sat Dec 10 07:21:28 2008 PST using DSA key ID 9C800ACA gpg: Good signature from “SuSE Package Signing Key <build@suse.de>” gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

Fingerprint: 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA

At this point, the signature is good, but we don’t trust this key. A good signature means that the file has not been tampered. However, due to the nature of public key cryptography, you need to additionally verify that key 9C800ACA was created by the real openSUSE Team.

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the ‘real’ key. Therefore, you need to validate the authenticity of this key.

=-=-=-=-=
Powered by Bilbo Blogger

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s


A %d blogueros les gusta esto: