busterrr3x

Thank you. #1- So then what is the difference between "verifying with the .asc" & "comparing checksums"? >>> If the checksum only tells you if the download was modified while being downloaded and not whether it is the authentic image - it doesn't make sense that igor's checksum would be valid and the image is not an authentic image. #2 - Aren't we getting igor's fingerprint by running one of the commands above? #3- dead link: https://apt.armbian.com/apt/armbian.key

step 1: # download public key from the database gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 step 2: # perform verification gpg --verify Armbian_5.18_Armada_Debian_jessie_3.10.94.img.xz.asc To help me understand better, I would like to break down my lack of understanding into simple questions, one at a time. Thank you. My understanding is that step #2 is used to show whether or not the image I downloaded is the "real image made/sent out by the developers/ software engineers". 1) Is this correct? And the sha256sum shows if this image has been modified in any way. ******* 2) But what command is used to show that the .asc signature is the authentic signature ? >>>>>>>>>>>> I'm going to guess and say the following: compare the fingerprint obtained from the first command below with the fingerprint obtained from the 2nd command below and see if they match. If they match, then the ".asc" file is authentic. "gpg --verify name.asc” & “gpg --fingerprint pubkey-code ID"

Would you agree with this: "I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. " -----?? Thanks.

Thanks. IMHO, I think that people "think" their system is clean & free of malware, but no one really knows for sure since there are certainly undetectable backdoors that can be placed on someone's system, including linux. "Hope for the best, prepare for the worst".

Here's my concern: I download the image iso. I have the .img image. There is malware on my computer. I want to know if malware has transferred over to the image before I install it on my micro-sd and boot up the os for first time use. sidenote: I do know that it is not easy for malware to write to an .img/iso. I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. Thanks!

After I get the fingerprint, what do I do with it? "gpg --fingerprint code" What command do I run after this? What is the purpose of this (currently unknown) command? sidenote: **If** the fingerprint verifies that I downloaded the "real" public key, then what does the signature verify? Thanks!

Thanks. Everyone should be concerned about the website / website files being hacked and replaced falsely.

Thanks Werner. So there is no checksum for the standalone ".img" ?

TO CLARIFY: actually, the 'formula' ran and gave a typical output whereas before it did not, so that was a success in itself. However, I did get a 'bad signature'. But at least I am now comfortable checking the signature, so it was still a success

I understand that as well. But why is the .img NOT matching the checksum, while the compressed image is - that's the biggest worry. Thx.

The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. Thx

When I run a checksum on both "...desktop.img.xz and .....desktop.img", the "...desktop.img.xz" matches the posted .sha doc's checksum. But when I run the "...desktop.img" checksum, it does NOT match the posted .sha doc checksum. I've always checked just the .img or .iso image against the posted checksum, never previously against the '..desktop.img.xz' image. Thx.

Hi Igor. I loaded the key before anything else, your key ...import, if that's what you mean. After I import your key with the command line, is there anything else I need to do, such as with my 'key management - KGpg' .... "import keys". The command said it was imported, but I don't know where to check to see if yours is there; not sure if I'm supposed to be able to see it...? Thanks.

Thanks Igor. As for trying to verify the signature - I'm getting closer, but apparently still doing something incorrect. I have in the same directory: the ".img" and the ".asc", and nothing else. I open a terminal there and then run the following: $ sudo gpg --verify Armbian_20.05.2_Orangepiplus2e_buster_current_5.4.43.img.xz.asc [sudo] password for b: OUTPUT: gpg: no signed data gpg: can't hash datafile: No data Or is the output for signature telling me the checksum is not valid? =========================================================================== DOWNLOADING YOUR PUBLIC KEY: (I don't know why, but your public key almost never downloads/imports; I got lucky importing it once out of many tries; wish I knew why...) # download public key from the database sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 OUTPUT: sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported gpg: Total number processed: 1 gpg: imported: 1 Thanks.

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic. But I will test what I think you may be trying to say. My guess is that the best thing is to verify the checksum signature. I thought there was a link on armbian.com for that, but don't seem to be able to find it. I also recall having some trouble figuring out how to do it. Anyway, could you provide a link for instructions? Thanks