Jump to content

busterrr3x

Members
  • Posts

    29
  • Joined

  • Last visited

Posts posted by busterrr3x

  1. 19 hours ago, xwiggen said:

    What it says is Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz is signed by Igor Pecovnik. If any bit is flipped in the xz after being signed (after download or modified on server) verification will fail.

    Thank you.

    #1- So then what is the difference between "verifying with the .asc" & "comparing checksums"?

    >>> If the checksum only tells you if the download was modified while being downloaded and not whether it is the authentic image - it doesn't make sense that igor's checksum would be valid and the image is not an authentic image. 

    #2 - Aren't we getting igor's fingerprint by running one of the commands above?

    #3- dead link: https://apt.armbian.com/apt/armbian.key

  2. step 1: # download public key from the database gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5

    step 2: # perform verification gpg --verify Armbian_5.18_Armada_Debian_jessie_3.10.94.img.xz.asc

     

    To help me understand better, I would like to break down my lack of understanding into simple questions, one at a time. Thank you. 

     

    My understanding is that step #2 is used to show whether or not the image I downloaded is the "real image made/sent out by the developers/ software engineers". 

    1) Is this correct?

     

    And the sha256sum shows if this image has been modified in any way. 

     

    ******* 2) But what command is used to show that the .asc signature is the authentic signature ?

     

    >>>>>>>>>>>> I'm going to guess and say the following: compare the fingerprint obtained from the first command below with the fingerprint obtained from the 2nd command below and see if they match. If they match, then the ".asc" file is authentic. 

    "gpg --verify name.asc” & “gpg --fingerprint pubkey-code ID"

     

  3. 1 hour ago, NicoD said:

    The writers of the malware would need to target Linux OS and filesystem. Always possible, but very unlikely.

     

    With computers nothing is secure except when you read/write all the code yourself. And even then it'll be full of errors :)
    About every Windows computer online is unsafe since Windows is closed sourced. You don't know what is happening behind the scenes. You can't know what a program does after you install it.
    With Linux there are a lot of people checking the code to see if nobody put anything malitious in it. But installing software and choosing the source is still your responsibillity.

     

    Would you agree with this: "I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. " -----??

    Thanks. 

  4. 56 minutes ago, Werner said:

    If you cannot make sure or simply do not think that your system is clean than the whole discussion is kind a pointless ...

    Thanks. IMHO, I think that people  "think" their system is clean & free of malware, but no one really knows for sure since there are certainly undetectable backdoors that can be placed on someone's system, including linux.  "Hope for the best, prepare for the worst". 

  5. On 10/7/2020 at 8:59 PM, NicoD said:

    Checksum is to see if the file you downloaded is error free.
    Once downloaded it is up to your computer to make sure it doesn't create errors in upacking it.
    I never use checkfiles and never had issue's to my knowledge. I don't understand why you would need to worry about this.

     

    Here's my concern: I download the image iso. I have the .img image. There is malware on my computer. I want to know if malware has transferred over to the image before I install it on my micro-sd and boot up the os for first time use. 

     

    sidenote: I do know that it is not easy for malware to write to an .img/iso. I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. 

     

    Thanks!

  6. 8 hours ago, busterrr3x said:

    The 'desktop-image' doc I was comparing the '.asc-doc' against was NOT a desktop image. Changed it and it worked. 

     

    Thx

    TO CLARIFY: actually, the 'formula' ran and gave a typical output whereas before it did not, so that was a success in itself. However, I did get a 'bad signature'. But at least I am now comfortable checking the signature, so it was still a success :)

  7. When I run a checksum on both "...desktop.img.xz and .....desktop.img", the "...desktop.img.xz" matches the posted .sha doc's checksum. But when I run the "...desktop.img" checksum, it does NOT match the posted .sha doc checksum. 

     

    I've always checked just the .img or .iso image against the posted checksum, never previously against the '..desktop.img.xz' image. 

     

    Thx. 

  8. Hi Igor. I loaded the key before anything else, your key ...import, if that's what you mean. 

     

    After I import your key with the command line, is there anything else I need to do, such as with my 'key management - KGpg' .... "import keys". 

     

    The command said it was imported, but I don't know where to check to see if yours is there; not sure if I'm supposed to be able to see it...?

     

    Thanks. 

  9. Thanks Igor. 

     

    As for trying to verify the signature - I'm getting closer, but apparently still doing something incorrect. 

     

    I have in the same directory: the ".img" and the ".asc", and nothing else. I open a terminal there and then run the following:

     

    $ sudo gpg --verify Armbian_20.05.2_Orangepiplus2e_buster_current_5.4.43.img.xz.asc [sudo] password for b:

     

    OUTPUT: gpg: no signed data gpg: can't hash datafile: No data 

     

    Or is the output for signature telling me the checksum is not valid? 

     

    =========================================================================== 

     

    DOWNLOADING YOUR PUBLIC KEY: (I don't know why, but your public key almost never downloads/imports; I got lucky importing it once out of many tries; wish I knew why...)

     

    # download public key from the database

    sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5

     

    OUTPUT: sudo gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 93D6889F9F0E78D5: public key "Igor Pecovnik <igor@armbian.com>" imported gpg: Total number processed: 1 gpg: imported: 1

     

    Thanks. 

  10. Hi Igor, thanks. But I'm not sure I understand. I'm using buster and those links are for bionic. But I will test what I think you may be trying to say. 

     

    My guess is that the best thing is to verify the checksum signature.  I thought there was a link on armbian.com for that, but don't seem to be able to find it. 

     

    I also recall having some trouble figuring out how to do it. Anyway, could you provide a link for instructions?

    Thanks

  11. Last week I downloaded the checksum for armbian20.05.2_Orangepiplus2e_buster_current_5.4.43_desktop.img.xz and checked the checksum that came with the download. The .img checksum downloaded with the image and the checksum I ran were the same. When I check the online checksum here on armbian.com under downloads, sha, TODAY, the checksum is different. 

     

    Is there any reason for me to believe that my original checksum and download may have been corrupted? I realize I can just re-download the image now, but whose to say that the one posted now is correct and not the previous one (while maybe both correct/fine)?

     

    I know that checksums can change over time, assuming there has been an update or something; read about this somewhere. 

     

    Thanks. 

  12. Thanks anyway, I found the checksum and since the checksum was good, I will install and see what is in the .gnupg directory. I am surprised by what is in this install that I am writing from, as the private keys directory is completely empty. I know that after I make a keypair that they will exist there, but I thought there should be 2 plain text documents there also before making the keypair, so I was trying to make sure. 

     

    HOW DO I MARK SOLVED?

  13. In other words, when you download this image/iso, what is in your .GNUPG directory (if you wouldn't mind downloading it to see)? 

     

    https://archive.armbian.com/orangepiplus2e/archive/Armbian_19.11.6_Orangepiplus2e_buster_current_5.4.8_desktop.7z

     

    I have done it on my end. This is from the archived os'. I would check the checksum but I can't find them for these archives. 

     

    Thanks. 

  14. QUESTION:  I downloaded the BUSTER image (19.11.6 / 5.4.8) .img. In my .GNUPG directory, there is only an empty 'private keys' directory. Is this supposed to be like this or should there be 2 'text' documents next to the 'private keys' directory?

     

    One of my former buster downloads from a year ago or so, I know there were 2 simple text documents in the .gnupg directory. I am trying to learn how to send an encrypted message using gpg, but haven't been successful, yet. I was thinking that maybe there is a problem with my .gnupg directory and this is why I'm running into a snag with it.

     

    Thank you. 

  15. On 9/24/2020 at 6:04 PM, busterrr3x said:

    I haven't checked the archives yet, so I was only saying I had a bad download with the main page. But thanks. 

    Sorry I don't fully understand the coding above, but I can see you were using shasum to check the archive images. Thanks. I checked my archive download and it checked out!

     

    QUESTION:  I downloaded the BUSTER image (19.11.6 / 5.4.8) .img. In my .GNUPG directory, there is only an empty 'private keys' directory. Is this supposed to be like this or should there be 2 'text' documents next to the 'private keys' directory? One of my former buster downloads from a year ago or so, I know there were 2 simple text documents in the .gnupg directory. I am trying to learn how to send an encrypted message using gpg, but haven't been successful, yet. I was thinking that maybe there is a problem with my .gnupg directory and this is why I'm running into a snag with it. 

     

    Thank you. 

     

  16. On 9/24/2020 at 5:40 PM, Igor said:

    Also I started:

    
    for archive in $(find ${STARTDIR} -name '*.xz'); do
    	xz -tv $archive
    	[[ $? -ne 0 ]] && exit 1
    	[[ $(sha256sum $archive | cut -d" " -f1) != $(cat ${archive}.sha | cut -d" " -f1) ]] && exit 1
    done

    on our archive to see if the problem is at our side.

    I haven't checked the archives yet, so I was only saying I had a bad download with the main page. But thanks. 

×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines