GPG/PGP Keys-Part 3: Verifying Debian ISO images encrypted sign file
Welcome to Part 3 of GPG/PGP Key series.
What we will learn: In this part we will learn how to verify the encrypted signature file that is commonly found on web servers which offers download services.
Example: Suppose you decide to download the Debian’s NetInstaller CD from Debian HTTP servers. Now you will notice that there are two files on the HTTP server with names:
- MD5SUMS
- MD5SUMS.sign
If you are wondering how to use those two files then this tutorial is right for you.
Step 1: Download the ISO image
You can download any ISO image that you like from the HTTP server but for this tutorial purpose we will use the NetInstaller CD image as an example. So go ahead and first down the ISO image. Suppose you downloaded the ISO image in your home directory – “/home/kushalk”
Step 2: Verify the MD5SUM
We already covered this step in one of my previous posts. I highly encourage you to read it before you read this article any further.
Now first we will verify if the ISO image that we have downloaded has not been tampered since it was uploaded originally. Many crackers will hack the web servers some times and will modify the files/images. So we need to make sure that what we have downloaded is indeed what we wanted to. Here we will make use of the file MD5SUMS. Go ahead and download the MD5SUMS file also to your ” /home/kushalk” directory. Basically at this point of time you should have your ISO image (from Step 1) and the MD5SUM (from this step) both in your home directory.
Once you have both of them give the following command:
# md5sum -c MD5SUMS
and in the output somewhere you should see the following line (in green):
debian-500-i386-CD-9.iso: FAILED open or read
md5sum: debian-500-i386-businesscard.iso: No such file or directory
debian-500-i386-businesscard.iso: FAILED open or read
md5sum: debian-500-i386-kde-CD-1.iso: No such file or directory
debian-500-i386-kde-CD-1.iso: FAILED open or read
debian-500-i386-netinst.iso: OK
md5sum: debian-500-i386-xfce+lxde-CD-1.iso
We get lots of FAILED and No such file or directory message because just downloaded one ISO image and the MD5SUMS file contain checksums for all the ISO images on the Debian’s server.
Step 3: Verify the encrypted signature
Now there is one more additional step to verify if the ISO image that we downloaded is really authentic. And we do this by verify the MD5SUMs.sign. Basically in this step we will confirm that the person who generated the MD5SUMS file is indeed the person who he/she cliams to be.
Imagine this – What if some malicious person hacks the server, generates the ISO files (with bogus content) and also generates the corresponding MD5SUMS file and put it up there. Now you go to web server and download the ISO and MD5SUMS file and verify the checksum just as in Step 2. Sure it will verify the checksum but that is not what we were suppose to download. And that’s why it is very essential to confirm that the MD5SUMS file is really uploaded by the person who is suppose to.
First we will get the Key-ID of the person who really uploaded it:
# gpg --verify MD5SUMS.sign
and you should see something like this:
gpg: Signature made Sat 14 Feb 2009 11:51:23 PM PST using DSA key ID 88C7C1F7
gpg: Can’t check signature: public key not found
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 88C7C1F7
gpg: requesting key 88C7C1F7 from hkp server subkeys.pgp.net
gpg: key 88C7C1F7: public key “Steve McIntyre <steve@einval.com>” imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
As you can see we have successfully imported the key in our keyring. You can verify this by giving following command:
# gpg --list-keys
pub 1024D/88C7C1F7 1999-01-30
uid Steve McIntyre <steve@einval.com>
uid Steve McIntyre <93sam@debian.org>
uid Steve McIntyre <stevem@chiark.greenend.org.uk>
sub 1024g/9315EA5D 1999-01-30
Finally now you can verify whether the MD5SUMS file was actually generated by Steve or not.
# gpg --verify MD5SUMS.sign
gpg: Signature made Sat 14 Feb 2009 11:51:23 PM PST using DSA key ID 88C7C1F7
gpg: Good signature from “Steve McIntyre <steve@einval.com>”
gpg: aka “Steve McIntyre <93sam@debian.org>”
gpg: aka “Steve McIntyre <stevem@chiark.greenend.org.uk>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AC65 6D79 E362 32CF 77BB B0E8 7C3B 7970 88C7 C1F7
Additional Notes:
In reality the way you find out person’s Key-ID is by knowing in advance (for example a key signing party) or the person sends you his public key in an E-mail or a CD/Floppy. In this example, we are assuming that Debian servers are not breached and the ISO images are uploaded by Steve.
That’s it! Congratulations! You have successfully verified your ISO and MD5SUMS file image.
Part 4: Signing/Encrypting a file using GPG/PGP key
Other Related Posts:
Email Subscription
Loading ...
March 24th, 2009 at 12:40 am
[...] Part 2: Sending and Receiving encrypted files If you found this article helpful, you can subscribe to the Organizing Linux Information RSS feed, or sign up for free email updates below: [...]
March 24th, 2009 at 12:46 am
[...] Part 3: Sending and Receiving encrypted files [...]
March 26th, 2009 at 12:48 am
[...] we will learn: In last part we saw how to verify an encrypted sign (.sign) file to confirm if the files and their MD5SUMS were [...]
April 15th, 2009 at 9:32 am
Thanks for the tip. I have been looking for so long on how to verify those Debian Images.
Reply to this comment
Admin Reply:
April 15th, 2009 at 9:37 am
Glad to be of help!
Reply to this comment
December 2nd, 2010 at 5:01 pm
thanx.. was helpful
keep up the good work
Reply to this comment