Verifying does not work with gpg

[frkl...@gmail.com]

Hey guys I installed the Qubes-Os and I`m very happy with it :-) The best OS in my opinion- everything it`s working fine on my computer. Thanks for the project!!

But I installed without verifying anything. So since two weeks I try to check the .iso file because I wanna reinstall Qubes-OS with the verified .iso.

Sorry for my English- it`s not the best and I`m also a noob with informatic things. So please write simple.

1. I downloaded the Qubes Master Signing Key with:

$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc

2. I checked the fingerprint with:

gpg --fingerprint

3. I decided to trust the qubes-master-signing-key

3.1 $ gpg --edit-key 36879494 (at the qubes-os site it`s written 0x36879494 - i don`t understand why to put "0x" in front of the qubes-master-signing-key. So i let it away- it worked)

i made all the steps and it worked- i had the same terminal output as in the description (https://www.qubes-os.org/security/verifying-signatures/)

4. After that I downloaded the "qubes-release-3-signing-key.asc" because I would like to install Qubes-R3.2-x86_64.iso.

- I tried a lot of things.
1) Download it from the download page with right click and than "Save File"
2) Download with gpg --recv-keys 0xCB11CA1D03FA5082 (number on the qubes-os.org page)
...

PROBLEM I can't verify the iso image.

1) I tried with gpg -v --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
Answer from the terminal:

gpg: can't open 'Qubes-R3.2-x86_64.iso.asc'
gpg: verify signatures failed: file open error

2) Than I decided to put the files inside with drag&drop.
Answer from the terminal:
gpg: armor header: Version: GnuPG v1
gpg: verify signatures failed: unexpected data

SO I DECIDED to check the DIGESTS but it does not work:

I put into the terminal: $ md5sum -c '/home/user/Downloads/Qubes/-R3.2-x86_64.iso'
Answer from terminal: no properly formatted MD5 checksum lines found

I tried also $ md5sum -c '/home/user/Downloads/Qubes/-R3.2-x86_64.iso.DIGESTS'
Answer from terminal: no such file or directory

I renamed than the .iso in iso.DIGESTS
Answer from the terminal: no properly formatted MD5 checksum lines found

I renamed than the .iso.DIGESTS again in .iso and I wrote into the terminal:
md5sum -t '/home/user/Downloads/Qubes/-R3.2-x86_64.iso'

After writing the 't' instead of 'c' I received following answer:
3c951138b8b9867d8657f173c1b58b82 /home/user/Downloads/Qubes/-R3.2-x86_64.iso

I did this for all types (md5sum sha1sum sha256sum sha512sum)

After that I compared with the openssl dgst types and it worked perfect.

But in the file on the website from qubes os is written:

`However, it is possible that an attacker replaced Qubes-R3.2-x86_64.iso with a malicious ISO, computed the hash values for that ISO, and replaced the values in Qubes-R3.2-x86_64.iso.DIGESTS with his own set of values. Therefore, ideally, we should also verify the authenticity of the listed hash values. Since Qubes-R3.2-x86_64.iso.DIGESTS is a clearsigned PGP file, we can use gpg to verify it from the command line:`

I decided to check now the last step:

$ gpg -v --verify '/home/user/Downloads/Qubes/-R3.2-x86_64.iso'
Answer from the terminal:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified
Please remember that the signature file (sig. or asc.)
should be the first file given on the command line.

I tried the same step with the renamed the file .iso.DIGESTS

$ gpg -v --verify '/home/user/Downloads/Qubes/-R3.2-x86_64.iso.DISGESTS'

The answer was the same:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified
Please remember that the signature file (sig. or asc.)
should be the first file given on the command line.

The terminal suggest to compare the files like I described above:

But that command does not work in my terminal:

gpg -v --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
Answer:

gpg: armor header: Version: GnuPG v1
gpg: verify signatures failed: unexpected data

I tried now all the options and I have no Idea what I should try to solve the verification problem. That's why I need help.

I checked the ~/.gnupg (Maybe it's helpful for you)
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA 128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPMED160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

I WOULD BE VERY HAPPY IF SOMEONE HAS A SOLUTION!

Thanks!

[Unman]

I think you should take it slowly.

First, you cant verify the image because (if you have downloaded the
iso.asc file) you dont have it in the directory where you are trying to
run the verification, or you downloaded it as root and permissions are
wrong..
Thats why the error message clearly says, " can't open".
Check that you have in fact downloaded the right file, and it is in the
same directory as the iso image.

You really need to read a basic introduction to md5sum.
What you want to do is run 'md5sum .... .iso', abnd check the output
against that contained in the DIGESTS file.

md5sum -c is used to READ hashes from a file, and check them against the
hash derived from the file.
SO:
md5sum file1 > file1.md5
md5sum -c file1.md5

will produce output:
file1: OK

The DIGESTS file doesnt contain properly formatted hash information, as
the error message tells you.

Try running'man gpg' or reading any of the excellent introductions
online.
Again, it seems to me that you simply havent downloaded the right
signature file from the website:
Look on the download spage, and download teh SIGNATURE matching the iso
you hvae.

I've lost track with all the file renaming you've done - I suspect you
might have done as well.
Start again, get the signature, and then run the verification -

unman

[frkl...@gmail.com]

Hi unman,

thx for the response!

I will do each step slowly and poste each problem separate ;-)

Let`s begin with the first step:

1. Download the "qubes-release-3-signing-key.asc" (PGP Key) from https://www.qubes-os.org/downloads/ and save in the directory Downloads where qubes .iso is

2. Command in terminal [Downloads]:
gpg -v --verify '/home/user/Downloads/qubes-release-3-signing-key.asc' '/home/user/Downloads/Qubes-R3.2-x86_64.iso'

Answer from terminal:

gpg: armor header: Version: GnuPG v1
gpg: verify signatures failed: unexpected data

3. Check permission of "qubes-release-3-signing-key.asc"

Owner: Me
Access: read and write

Group: user
Access: read and write

Others:
Access: read- only

What else should I check?

[Unman]

I did suggest that you check you had downloaded the correct file.
You havent.

Look at this page to understand what is going wrong:
www.gnupg.org/gph/en/manual/x135.html

You need to download the SIGNATURE - I stressed this before.
It's on the SIGNATURE button and is file - Qubes-R3.2-x86_64.iso.asc

How it works : the Qubes devs use their Key to generate a Signature for
the iso.
You download the signing key, signature and iso.
You IMPORT the key.
Then you verify the iso against the signature.

You are trying to verify the iso against the KEY.

Look at this page again:
www.qubes-os.org/security/verifying-signatures/

Once you get the idea, it should be easier for you.
Try it again.

unman

[frkl...@gmail.com]

Hi Unman,

you are right!

I tried the signing key against the .iso

I copied now the signature into 'gedit' and saved it as "Qubes-R3.2-x86_64.iso.asc"

After I verifyed the signature 'Qubes-R3.2-x86_64.iso.asc' against 'Qubes-R3.2-x86_64.iso'
and it worked :-))

Thx a lot for your patient!