how to check integrity about DVD

[hg...@e.shapoo.ch]

I verified signature about qubes ISO file by gpg.Then I burned it to DVD.
But I can't trust that DVD was burned without corruption.
So I want to verify integrity against the DVD too.

Is someone know how to verify signature against DVD?


At moment, I want my privacy to be protected.
https://mytemp.email/

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm not aware of a method to gpg --verify an ISO directly from a DVD
after it has been burned, but you can re-create the ISO from the DVD,
[1] then gpg --verify the re-created ISO. [2]


[1] https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux

[2] If you're worried that the re-created ISO might not truly represent
what's on the DVD because you're worried that your software environment
might be compromised and lying to you, then I'd point out that the same
compromised software environment could also lie to you about the results
of verifying the DVD directly.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZG6pOAAoJENtN07w5UDAwf7YP/R3gWzc2mW6GVsq2844zpg89
HhoskgCi3MZF3pdMYMjnteW8JFLUZf2e8+ow4XWmVu8IevnbDucjEm7WvNV3YnDh
D0HFy0e1eujnqi4gCtYqpHtV+kWZ+zMho+LX4Dq29y2FHEpdmFWSx3Ga6LLpMnSN
uI2XmjVp8Vw1cxJGkch8hyDnAbVOOOAMdPN5XBy35OfsJUAutSxFua7p7uu7EBgb
BV2syv1UE+9Hqcy32Pwd2dvOM3ltVfXj8POQ0sBBovpm4ujW0A/aCvKSsJvyOIi9
Z0PqpudpkoxcBxPSLa/oPor6S2UQqJJeLoRPxjFJWThrfNbwKO6kn9jAfJgmdTQ+
/IduIrLYTw2tOoGMn0Cknj9D6/Z4QUdXp94+bKT+hfNFpo1Fp74AAIrHuM1PW4iJ
J8xVm+3OUywEYbhbqIdk4TakrmZR5QSJi6jKVwIJTPruxRIswRM5w/C66KSzrdmg
wCtgH5Ac1HwRhvaJjG44+/CPLlJlJhQy1MhjIWWX+1FHULunNSJyJs0h56790MBA
Pwrwml9ifjGHRDmrsZKfNydVm4FEvTIHWBLjSjEPjs3z3Brzak56Imw3j4WlxFYp
wPfCLUBrUTgLXt+UEWixmzUHio79y/cmnzZASoGsDR4vcv9mIgsngNsC37Dgc50r
AceMgYRugTRLgUiNaBA6
=xE79
-----END PGP SIGNATURE-----

[cooloutac]

The option before you to verify integrity. Should do it it automatic if not make sure it selected.

[cooloutac]

I meant before you install in the options menu.

[Jean-Philippe Ouellet]

On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong <a...@qubes-os.org> wrote:
> On 2017-05-16 16:42, hg...@e.shapoo.ch wrote:
>> I verified signature about qubes ISO file by gpg.Then I burned it to DVD.
>> But I can't trust that DVD was burned without corruption.
>> So I want to verify integrity against the DVD too.
>>
>> Is someone know how to verify signature against DVD?
>>
>>
>> At moment, I want my privacy to be protected.
>> https://mytemp.email/
>>
>
> I'm not aware of a method to gpg --verify an ISO directly from a DVD
> after it has been burned, but you can re-create the ISO from the DVD,
> [1] then gpg --verify the re-created ISO. [2]
>
>
> [1] https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux
>
> [2] If you're worried that the re-created ISO might not truly represent
> what's on the DVD because you're worried that your software environment
> might be compromised and lying to you, then I'd point out that the same
> compromised software environment could also lie to you about the results
> of verifying the DVD directly.

IIRC it is legal and works as expected to pass a block device as the
file to be verified with gpg, e.g.
$ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0

However, I know I have just done:
$ sudo cat /dev/sr0 | sha256sum -
and compared against a known-good hash.
or
$ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum -
in the case of larger devices (like flash drives) which do not report
a certain size (like burned DVDs), and then verified that the rest of
the media is zeroes (dd skip=...) because I'm paranoid like that and
don't know what might read past the end of intentionally written data
and what parsers it might reach.

I'm happy to be corrected, but I do not see the need for re-creating
an ISO on your disk unless you find your DVD to be wrong and want to
do some forensics.

Non-write-once media, or media with embedded computing capability and
persistent and mutable state (like flash drives) have other concerns
however.\

Cheers,
Jean-Philippe

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-05-22 23:13, Jean-Philippe Ouellet wrote:
> On Tue, May 16, 2017 at 9:41 PM, Andrew David Wong <a...@qubes-os.org> wrote:
>> On 2017-05-16 16:42, hg...@e.shapoo.ch wrote:
>>> I verified signature about qubes ISO file by gpg.Then I burned it to DVD.
>>> But I can't trust that DVD was burned without corruption.
>>> So I want to verify integrity against the DVD too.
>>>
>>> Is someone know how to verify signature against DVD?
>>>
>>>
>>> At moment, I want my privacy to be protected.
>>> https://mytemp.email/
>>>
>>
>> I'm not aware of a method to gpg --verify an ISO directly from a DVD
>> after it has been burned, but you can re-create the ISO from the DVD,
>> [1] then gpg --verify the re-created ISO. [2]
>>
>>
>> [1] https://www.thomas-krenn.com/en/wiki/Create_an_ISO_Image_from_a_source_CD_or_DVD_under_Linux
>>
>> [2] If you're worried that the re-created ISO might not truly represent
>> what's on the DVD because you're worried that your software environment
>> might be compromised and lying to you, then I'd point out that the same
>> compromised software environment could also lie to you about the results
>> of verifying the DVD directly.
>
> IIRC it is legal and works as expected to pass a block device as the
> file to be verified with gpg, e.g.
> $ gpg --verify Qubes-R3.2-x86_64.iso.asc /dev/sr0
>

I could never get it to work for some reason.

> However, I know I have just done:
> $ sudo cat /dev/sr0 | sha256sum -
> and compared against a known-good hash.
> or
> $ sudo head -c $((1024*1024*4)) /dev/sr0 | sha256sum -
> in the case of larger devices (like flash drives) which do not report
> a certain size (like burned DVDs), and then verified that the rest of
> the media is zeroes (dd skip=...) because I'm paranoid like that and
> don't know what might read past the end of intentionally written data
> and what parsers it might reach.
>
> I'm happy to be corrected, but I do not see the need for re-creating
> an ISO on your disk unless you find your DVD to be wrong and want to
> do some forensics.
>

I mean, either way you're reading the contents of the disc. It's just a
matter of whether you write them (back) to the disk or pipe them
directly to whichever program is doing the verification, right? I don't
see any meaningful security gain from piping directly, since a
compromised environment could still be lying to you. Since I make lots
of mistakes, though, I'd probably prefer to have it on the disk so that
I don't have to re-read the whole disc when I inevitably screw up the
verification step the first time. :)

> Non-write-once media, or media with embedded computing capability and
> persistent and mutable state (like flash drives) have other concerns
> however.\
>
> Cheers,
> Jean-Philippe
>

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZI8giAAoJENtN07w5UDAwpugP/RNrf1MQD34UhqENsuvbLcJx
uI+MGYXcQLHLwdi42VdWnwQmwX6gcUISp3O58yFAcT7wRUL/5ZfatrtKyFiPlDAZ
3Y/EVXsvlnLMOuqkoKOpzIMH9vM8HjmBDr12PW2wsy2bKxHetkoKMWbkOZXNEjhk
uldVde04/oX1U4aCgRLfICeYoGd66cgM+93IKTnRKf6p1gF8zAzx41NX6jskWYPx
9Q1cvm64ruAGuYNMobWJDyjQV7kni1iS35Y8ll1h4BAcUDDGoG1tM7239hW3KDPR
PF7SBGZPn9XTzb2GqsphZOYeRNVE8C5JN6Ld8slfW1xhI9WYNo7IvddSYvlQfhdc
0pxXkG8WutknUZVXoKbtnl9Y4uIgpXPFQQHuPH2FOjN/C8T8v2vgFg5p6g5N8uls
4zbm+/TGh9I7Hb/2vILR5uR/uEx04P0l0dp2wHJF4Zkc4/MBM4XIRhk7HnlDAyLW
pJhRRmLzLLUoiFq08kApp3NyMH/DImC4FyNLqvqWsaoddf4b/5lf64M6RATIkr/x
1zipb0k54/+T62IQLgPq24MdIFJk8p8XpMpn0nRhEOSRkmZfqOrN7NfNyeRGQVbt
JU6TsoYcZW+Q5syBNCN22xbr0aJSfvw9+ccBisPKIV6heaEMsU85gJCZat6HTREI
JMLhZEoUnrTxYXr3ieuI
=nHiv
-----END PGP SIGNATURE-----