Verifying a Devuan download

[Spiros Bousbouras]

I don't know of a Devuan specific group so I'm posting to 2 general Linux
ones.

From https://files.devuan.org/devuan_chimaera/desktop-live/ I downloaded
devuan_chimaera_4.0.2_amd64_desktop-live.iso .The SHA-256 sum , given by
a different file on the same page , matches. Do I need to verify anything
else , say something GPG related ? There is for example a SHA256SUMS.txt.asc
file on the same page and on https://files.devuan.org/ there exist also
devuan-archive-keyring.gpg and devuan-devs.gpg .Do I need to do anything
with those ?

For my general education , what additional protections will any GPG checks
offer ? I assume that the HTTPS makes it unlikely that I was the victim of
a MITM attack and accessed the wrong sites. So what does the GPG do on top
of that ?

--
Why does he have to recharge at least 10 times during the movie, did
Apple make him?
www.imdb.com/review/rw2966641

[David W. Hodgins]

On Wed, 26 Oct 2022 16:55:58 -0400, Spiros Bousbouras <spi...@gmail.com> wrote:

> I don't know of a Devuan specific group so I'm posting to 2 general Linux
> ones.
>
> From https://files.devuan.org/devuan_chimaera/desktop-live/ I downloaded
> devuan_chimaera_4.0.2_amd64_desktop-live.iso .The SHA-256 sum , given by
> a different file on the same page , matches. Do I need to verify anything
> else , say something GPG related ? There is for example a SHA256SUMS.txt.asc
> file on the same page and on https://files.devuan.org/ there exist also
> devuan-archive-keyring.gpg and devuan-devs.gpg .Do I need to do anything
> with those ?
>
> For my general education , what additional protections will any GPG checks
> offer ? I assume that the HTTPS makes it unlikely that I was the victim of
> a MITM attack and accessed the wrong sites. So what does the GPG do on top
> of that ?

It ensures the file hasn't been tampered with, for example by the site being
hacked, since the owner of the key created the signature.

The SHA256SUMS.txt.asc is likely a detached signaure of the SHA256SUMS file.
Put them both in the same directory and usg "SHA256SUMS.txt.asc" to verify
the that the SHA256SUMS file hasn't been altered.

Regards, Dave Hodgins

[Rich]

Spiros Bousbouras <spi...@gmail.com> wrote:
> I don't know of a Devuan specific group so I'm posting to 2 general Linux
> ones.
>
> From https://files.devuan.org/devuan_chimaera/desktop-live/ I downloaded
> devuan_chimaera_4.0.2_amd64_desktop-live.iso .The SHA-256 sum , given by
> a different file on the same page , matches. Do I need to verify anything
> else , say something GPG related ? There is for example a SHA256SUMS.txt.asc
> file on the same page and on https://files.devuan.org/ there exist also
> devuan-archive-keyring.gpg and devuan-devs.gpg .Do I need to do anything
> with those ?
>
> For my general education , what additional protections will any GPG checks
> offer ?

That the signature matches the download file, and that someone
breaching the website can't replace the download and install a new
matching signature file, whereupon your sha256sum will report that the
download matches the signature.

To regenerate a new GPG signature the attacker would need the GPG
private key associated with the signature file to generate a new
signature file, and if the private key is not also on the website (it
should not be on the site) then someone simply breaching the site can't
substitute their exploited file for the real file.

> I assume that the HTTPS makes it unlikely that I was the victim of
> a MITM attack and accessed the wrong sites.

But, https offers no protection to someone gaining access to the site,
and replacing the download file and the sha256 signature file with two
new files, an exploited download and a new sha256 to match the
exploited file.

> So what does the GPG do on top of that ?

The added benefit that in order to generate the signature, the person
doing the generating needed the GPG private key, under the assumption
that the private key was kept secure.

[Fenris]

["Followup-To:" header set to comp.os.linux.misc.]

On 2022-10-26, Spiros Bousbouras <spi...@gmail.com> wrote:
> I don't know of a Devuan specific group so I'm posting to 2 general Linux
> ones.
>
> From https://files.devuan.org/devuan_chimaera/desktop-live/ I downloaded
> devuan_chimaera_4.0.2_amd64_desktop-live.iso .The SHA-256 sum , given by
> a different file on the same page , matches. Do I need to verify anything
> else , say something GPG related ? There is for example a SHA256SUMS.txt.asc
> file on the same page and on https://files.devuan.org/ there exist also
> devuan-archive-keyring.gpg and devuan-devs.gpg .Do I need to do anything
> with those ?

Go for it, that's for sure.

[Richard Kettlewell]

Rich <ri...@example.invalid> writes:
> Spiros Bousbouras <spi...@gmail.com> wrote:
>> I don't know of a Devuan specific group so I'm posting to 2 general Linux
>> ones.
>>
>> From https://files.devuan.org/devuan_chimaera/desktop-live/ I downloaded
>> devuan_chimaera_4.0.2_amd64_desktop-live.iso .The SHA-256 sum , given by
>> a different file on the same page , matches. Do I need to verify anything
>> else , say something GPG related ? There is for example a SHA256SUMS.txt.asc
>> file on the same page and on https://files.devuan.org/ there exist also
>> devuan-archive-keyring.gpg and devuan-devs.gpg .Do I need to do anything
>> with those ?
>>
>> For my general education , what additional protections will any GPG checks
>> offer ?
>
> That the signature matches the download file, and that someone
> breaching the website can't replace the download and install a new
> matching signature file, whereupon your sha256sum will report that the
> download matches the signature.

Since the public key is on the same site, it offers no protection at
all. Someone who tampered with the ISO would also replace the public
key with their own and generate a new signature for the tampered ISO.

Spiros needs some other trust path to the key, otherwise they will just
be wasting their time.

--
http://www.greenend.org.uk/rjk/

[Anssi Saari]

Richard Kettlewell <inv...@invalid.invalid> writes:

> Since the public key is on the same site, it offers no protection at
> all. Someone who tampered with the ISO would also replace the public
> key with their own and generate a new signature for the tampered ISO.

> Spiros needs some other trust path to the key, otherwise they will just
> be wasting their time.

What's a trust path today though? Last time I looked into it, it meant
getting the public key from the signer in person. For practical purposes
keyservers are used and are presumably somewhat more reliable than a
public key stored with a download. But how much more reliable?

[David W. Hodgins]

It depends to who has signed the key.
https://en.wikipedia.org/wiki/Web_of_trust

Regards, Dave Hodgins

[David W. Hodgins]

The keys are also distributed on the pgp public key servers. For example see
https://pgp.mit.edu/pks/lookup?search=Devuan&op=index

Regards, Dave Hodgins

[Richard Kettlewell]

Anssi Saari <a...@sci.fi> writes:
> Richard Kettlewell <inv...@invalid.invalid> writes:
>> Since the public key is on the same site, it offers no protection at
>> all. Someone who tampered with the ISO would also replace the public
>> key with their own and generate a new signature for the tampered ISO.
>
>> Spiros needs some other trust path to the key, otherwise they will just
>> be wasting their time.
>
> What's a trust path today though? Last time I looked into it, it meant
> getting the public key from the signer in person.

The theory is you trust certain other people to certify the keys of
people that they’ve met, and (potentially) so on for multiple hops. It
seems like it only works well in specific environments.

In this case, the only signatures attached to the ISO signing key are
apparently from other keys owned by the same person. So we have no
evidence that the signing key belongs to anyone in particular, much less
to a legitimate signer of devuan ISOs.

$ gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt
gpg: Signature made Sat 10 Sep 2022 14:45:32 BST
gpg: using RSA key 67F5013216271E85C251E480A73823D3094C5620
gpg: Good signature from "fsmithred (aka fsr) <fsmi...@gmail.com>" [expired]
gpg: Note: This key has expired!
$ gpg --list-sigs 67F5013216271E85C251E480A73823D3094C5620
pub rsa4096/A73823D3094C5620 2017-10-07 [SC] [expired: 2021-09-20]
67F5013216271E85C251E480A73823D3094C5620
uid [ expired] fsmithred (aka fsr) <fsmi...@gmail.com>
sig 3 A73823D3094C5620 2017-10-07 fsmithred (aka fsr) <fsmi...@gmail.com>
sig 632FA518ACDCBE05 2017-10-07 fsmithred <fsmi...@gmail.com>
sig 3 A73823D3094C5620 2018-09-09 fsmithred (aka fsr) <fsmi...@gmail.com>
sig 3 A73823D3094C5620 2019-09-21 fsmithred (aka fsr) <fsmi...@gmail.com>

So I think you’re out of luck for a GPG-based trust path.

> For practical purposes keyservers are used and are presumably somewhat
> more reliable than a public key stored with a download. But how much
> more reliable?

It would be less reliable. Key servers are there to transport keys, not
to certify them.

--
http://www.greenend.org.uk/rjk/

[Spiros Bousbouras]

Which file is the public key ?

> Spiros needs some other trust path to the key, otherwise they will just
> be wasting their time.

In principle , what would be a good trust path ? In
<wwv7d0k...@LkoBDZeT.terraraq.uk> you say that even getting the key
from a keyserver would not be good enough. Then what ?

An extra complication here is that it's not clear how to verify who are the
correct persons to upload Devuan ISOs .I mean for Slackware for example , it
is well known that Patrick Volkerding is the maintainer but is there any such
well known person for Devuan ? Without this information , even in the
hypothetical scenario that I were to meet someone in person and he showed me
ID and he gave me in person his public key for Devuan , how would I know that
I wouldn't be talking to a cracker ? How do other Linux districutions handle
such things (especially the less popular ones) or even BSDs ?

--
vlaho.ninja/prog

[Richard Kettlewell]

Spiros Bousbouras <spi...@gmail.com> writes:
> In principle , what would be a good trust path ? In
> <wwv7d0k...@LkoBDZeT.terraraq.uk> you say that even getting the key
> from a keyserver would not be good enough. Then what ?

There probably isn’t one, in this case.

> An extra complication here is that it's not clear how to verify who
> are the correct persons to upload Devuan ISOs .I mean for Slackware
> for example , it is well known that Patrick Volkerding is the
> maintainer but is there any such well known person for Devuan ?
> Without this information , even in the hypothetical scenario that I
> were to meet someone in person and he showed me ID and he gave me in
> person his public key for Devuan , how would I know that I wouldn't be
> talking to a cracker ?

Indeed, you’d have no idea.

> How do other Linux districutions handle such things (especially the
> less popular ones) or even BSDs ?

Debian is pretty good at maintaining a web of trust between its own
developers and that extends widely enough into the general developer
community that I’m usually able to find trust paths to them via people
I’ve exchanged keys with in person. But their ISO signing key does not
appear carry any signatures, so a PGP-based trust path to it doesn’t
seem to be an option.

It is, on the other hand, listed by ID on their other websites,
e.g. https://wiki.debian.org/DebianLive, so you can exploit that to rule
out tampering by mirror sites, with a level of confidence related to
your trust in Internet PKI (i.e. the trust anchors built into your web
browser).

--
http://www.greenend.org.uk/rjk/

[Andrei Z.]

Spiros Bousbouras wrote:
> An extra complication here is that it's not clear how to verify who are the
> correct persons to upload Devuan ISOs .I mean for Slackware for example , it
> is well known that Patrick Volkerding is the maintainer but is there any such
> well known person for Devuan ? Without this information , even in the
> hypothetical scenario that I were to meet someone in person and he showed me
> ID and he gave me in person his public key for Devuan , how would I know that
> I wouldn't be talking to a cracker ? How do other Linux districutions handle
> such things (especially the less popular ones) or even BSDs ?
>

For example

Install Tails from Debian or Ubuntu using the command line and GnuPG

https://tails.boum.org/install/expert/index.en.html

2/9 Verify the Tails signing key

[Spiros Bousbouras]

On Thu, 27 Oct 2022 12:00:49 -0400
"David W. Hodgins" <dwho...@nomail.afraid.org> wrote:
> The keys are also distributed on the pgp public key servers. For example see
> https://pgp.mit.edu/pks/lookup?search=Devuan&op=index

Ok , I went to the link but I don't know how to interpret what I see. For example
at the top there is

pub 4096R/D104092C 2022-09-22 Devuan Release Signing (Excalibur) <repos...@devuan.org>

.What does this mean ? Following a link on the 1st line I go to
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB3982868D104092C
.On that page there are a few links including one for
fsmithred who also appears on
https://files.devuan.org/devuan_chimaera/desktop-live/README_desktop-live.txt .
Is https://pgp.mit.edu/pks/lookup?op=get&search=0xA73823D3094C5620
the public key that I need ?

--
Some calisthenics programs are better than others.
"The emissary" , STNG

[David W. Hodgins]

Yes. Or if you have gpg set up with key servers configured ...

$ gpg --recv-keys 0xA73823D3094C5620
<snip lots of output>
gpg: Total number processed: 1
gpg: imported: 1

$ gpg --list-key 0xA73823D3094C5620
/home/dave/.gnupg/gpg.conf:215: argument not expected
pub rsa4096 2017-10-07 [SC] [expires: 2029-09-19]
67F5013216271E85C251E480A73823D3094C5620
uid [ unknown] fsmithred (aka fsr) <fsmi...@gmail.com>
sub rsa4096 2017-10-07 [E] [expires: 2029-09-19]

Regards, Dave Hodgins