busterrr3x

Thank you. #1- So then what is the difference between "verifying with the .asc" & "comparing checksums"? >>> If the checksum only tells you if the download was modified while being downloaded and not whether it is the authentic image - it doesn't make sense that igor's checksum would be valid and the image is not an authentic image. #2 - Aren't we getting igor's fingerprint by running one of the commands above? #3- dead link: https://apt.armbian.com/apt/armbian.key

step 1: # download public key from the database gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 step 2: # perform verification gpg --verify Armbian_5.18_Armada_Debian_jessie_3.10.94.img.xz.asc To help me understand better, I would like to break down my lack of understanding into simple questions, one at a time. Thank you. My understanding is that step #2 is used to show whether or not the image I downloaded is the "real image made/sent out by the developers/ software engineers". 1) Is this correct? And the sha256sum shows if this image has been modified in any way. ******* 2) But what command is used to show that the .asc signature is the authentic signature ? >>>>>>>>>>>> I'm going to guess and say the following: compare the fingerprint obtained from the first command below with the fingerprint obtained from the 2nd command below and see if they match. If they match, then the ".asc" file is authentic. "gpg --verify name.asc” & “gpg --fingerprint pubkey-code ID"

Would you agree with this: "I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. " -----?? Thanks.

Thanks. IMHO, I think that people "think" their system is clean & free of malware, but no one really knows for sure since there are certainly undetectable backdoors that can be placed on someone's system, including linux. "Hope for the best, prepare for the worst".

Here's my concern: I download the image iso. I have the .img image. There is malware on my computer. I want to know if malware has transferred over to the image before I install it on my micro-sd and boot up the os for first time use. sidenote: I do know that it is not easy for malware to write to an .img/iso. I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. Thanks!

After I get the fingerprint, what do I do with it? "gpg --fingerprint code" What command do I run after this? What is the purpose of this (currently unknown) command? sidenote: **If** the fingerprint verifies that I downloaded the "real" public key, then what does the signature verify? Thanks!

Thanks. Everyone should be concerned about the website / website files being hacked and replaced falsely.

Thanks Werner. So there is no checksum for the standalone ".img" ?

TO CLARIFY: actually, the 'formula' ran and gave a typical output whereas before it did not, so that was a success in itself. However, I did get a 'bad signature'. But at least I am now comfortable checking the signature, so it was still a success

I understand that as well. But why is the .img NOT matching the checksum, while the compressed image is - that's the biggest worry. Thx.

The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. Thx

When I run a checksum on both "...desktop.img.xz and .....desktop.img", the "...desktop.img.xz" matches the posted .sha doc's checksum. But when I run the "...desktop.img" checksum, it does NOT match the posted .sha doc checksum. I've always checked just the .img or .iso image against the posted checksum, never previously against the '..desktop.img.xz' image. Thx.

Hi Igor. I loaded the key before anything else, your key ...import, if that's what you mean. After I import your key with the command line, is there anything else I need to do, such as with my 'key management - KGpg' .... "import keys". The command said it was imported, but I don't know where to check to see if yours is there; not sure if I'm supposed to be able to see it...? Thanks.

Thanks Igor. As for trying to verify the signature - I'm getting closer, but apparently still doing something incorrect. I have in the same directory: the ".img" and the ".asc", and nothing else. I open a terminal there and then run the following: $ sudo gpg --verify Armbian_20.05.2_Orangepiplus2e_buster_current_5.4.43.img.xz.asc [sudo] password for b: OUTPUT: gpg: no signed data gpg: can't hash datafile: No data Or is the output for signature telling me the checksum is not valid? =========================================================================== DOWNLOADING YOUR PUBLIC KEY: (I don't know why, but your public key almost never downloads/imports; I got lucky importing it once out of many tries; wish I knew why...) # download public key from the database sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 OUTPUT: sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported gpg: Total number processed: 1 gpg: imported: 1 Thanks.

Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic. But I will test what I think you may be trying to say. My guess is that the best thing is to verify the checksum signature. I thought there was a link on armbian.com for that, but don't seem to be able to find it. I also recall having some trouble figuring out how to do it. Anyway, could you provide a link for instructions? Thanks

Last week I downloaded the checksum for armbian20.05.2_Orangepiplus2e_buster_current_5.4.43_desktop.img.xz and checked the checksum that came with the download. The .img checksum downloaded with the image and the checksum I ran were the same. When I check the online checksum here on armbian.com under downloads, sha, TODAY, the checksum is different. Is there any reason for me to believe that my original checksum and download may have been corrupted? I realize I can just re-download the image now, but whose to say that the one posted now is correct and not the previous one (while maybe both correct/fine)? I know that checksums can change over time, assuming there has been an update or something; read about this somewhere. Thanks.

Thanks anyway, I found the checksum and since the checksum was good, I will install and see what is in the .gnupg directory. I am surprised by what is in this install that I am writing from, as the private keys directory is completely empty. I know that after I make a keypair that they will exist there, but I thought there should be 2 plain text documents there also before making the keypair, so I was trying to make sure. HOW DO I MARK SOLVED?

In other words, when you download this image/iso, what is in your .GNUPG directory (if you wouldn't mind downloading it to see)? https://archive.armbian.com/orangepiplus2e/archive/Armbian_19.11.6_Orangepiplus2e_buster_current_5.4.8_desktop.7z I have done it on my end. This is from the archived os'. I would check the checksum but I can't find them for these archives. Thanks.

QUESTION: I downloaded the BUSTER image (19.11.6 / 5.4.8) .img. In my .GNUPG directory, there is only an empty 'private keys' directory. Is this supposed to be like this or should there be 2 'text' documents next to the 'private keys' directory? One of my former buster downloads from a year ago or so, I know there were 2 simple text documents in the .gnupg directory. I am trying to learn how to send an encrypted message using gpg, but haven't been successful, yet. I was thinking that maybe there is a problem with my .gnupg directory and this is why I'm running into a snag with it. Thank you.

Thank you!

Sorry I don't fully understand the coding above, but I can see you were using shasum to check the archive images. Thanks. I checked my archive download and it checked out! QUESTION: I downloaded the BUSTER image (19.11.6 / 5.4.8) .img. In my .GNUPG directory, there is only an empty 'private keys' directory. Is this supposed to be like this or should there be 2 'text' documents next to the 'private keys' directory? One of my former buster downloads from a year ago or so, I know there were 2 simple text documents in the .gnupg directory. I am trying to learn how to send an encrypted message using gpg, but haven't been successful, yet. I was thinking that maybe there is a problem with my .gnupg directory and this is why I'm running into a snag with it. Thank you.

I haven't checked the archives yet, so I was only saying I had a bad download with the main page. But thanks.

Thanks - it's at the bottom of the page.

Thanks Igor. Where would I get an older archived version?

BUSTER DESKTOP - GLOBAL: https://www.armbian.com/orange-pi-plus-2e/#kernels-archive-all I downloaded this on 2 different computers and got a bad checksum when I ran "sha256sum name.img". Wondering if anyone else is as well? I may have remote access malware on my computer - could be causing it somehow, possibly. Thanks.