busterrr3x Posted October 7, 2020 Posted October 7, 2020 (edited) When I run a checksum on both "...desktop.img.xz and .....desktop.img", the "...desktop.img.xz" matches the posted .sha doc's checksum. But when I run the "...desktop.img" checksum, it does NOT match the posted .sha doc checksum. I've always checked just the .img or .iso image against the posted checksum, never previously against the '..desktop.img.xz' image. Thx. Edited October 7, 2020 by busterrr3x
Werner Posted October 7, 2020 Posted October 7, 2020 If they were identical on both the compressed and uncompressed image I would be really worried.
busterrr3x Posted October 7, 2020 Author Posted October 7, 2020 I understand that as well. But why is the .img NOT matching the checksum, while the compressed image is - that's the biggest worry. Thx.
Werner Posted October 7, 2020 Posted October 7, 2020 Because the checksum has been calculated for the compressed archive. Also if you use USBimager to write the image to a SD card you do not even have to unpack it. You can feed it into the tool as it is.
busterrr3x Posted October 7, 2020 Author Posted October 7, 2020 Thanks Werner. So there is no checksum for the standalone ".img" ?
NicoD Posted October 7, 2020 Posted October 7, 2020 56 minutes ago, busterrr3x said: So there is no checksum for the standalone ".img" ? Checksum is to see if the file you downloaded is error free. Once downloaded it is up to your computer to make sure it doesn't create errors in upacking it. I never use checkfiles and never had issue's to my knowledge. I don't understand why you would need to worry about this.
busterrr3x Posted October 8, 2020 Author Posted October 8, 2020 Thanks. Everyone should be concerned about the website / website files being hacked and replaced falsely.
Werner Posted October 8, 2020 Posted October 8, 2020 True. I don't know much how this works but maybe sign the sha file against the authenticity key as well?
xwiggen Posted October 15, 2020 Posted October 15, 2020 On 10/8/2020 at 7:28 AM, Werner said: True. I don't know much how this works but maybe sign the sha file against the authenticity key as well? There's no added security. If you're able to generate a SHA hash of the image and sign the SHA hash with the GPG-key both security measures are compromised at once, unless you want @Igor to sign every image and package manually at home.
busterrr3x Posted November 1, 2020 Author Posted November 1, 2020 After I get the fingerprint, what do I do with it? "gpg --fingerprint code" What command do I run after this? What is the purpose of this (currently unknown) command? sidenote: **If** the fingerprint verifies that I downloaded the "real" public key, then what does the signature verify? Thanks!
busterrr3x Posted November 1, 2020 Author Posted November 1, 2020 On 10/7/2020 at 8:59 PM, NicoD said: Checksum is to see if the file you downloaded is error free. Once downloaded it is up to your computer to make sure it doesn't create errors in upacking it. I never use checkfiles and never had issue's to my knowledge. I don't understand why you would need to worry about this. Here's my concern: I download the image iso. I have the .img image. There is malware on my computer. I want to know if malware has transferred over to the image before I install it on my micro-sd and boot up the os for first time use. sidenote: I do know that it is not easy for malware to write to an .img/iso. I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. Thanks!
NicoD Posted November 1, 2020 Posted November 1, 2020 5 minutes ago, busterrr3x said: Here's my concern: I download the image iso. I have the .img image. There is malware on my computer. I want to know if malware has transferred over to the image before I install it on my micro-sd and boot up the os for first time use. sidenote: I do know that it is not easy for malware to write to an .img/iso. The writers of the malware would need to target Linux OS and filesystem. Always possible, but very unlikely. With computers nothing is secure except when you read/write all the code yourself. And even then it'll be full of errors About every Windows computer online is unsafe since Windows is closed sourced. You don't know what is happening behind the scenes. You can't know what a program does after you install it. With Linux there are a lot of people checking the code to see if nobody put anything malitious in it. But installing software and choosing the source is still your responsibillity.
Werner Posted November 1, 2020 Posted November 1, 2020 If you cannot make sure or simply do not think that your system is clean than the whole discussion is kind a pointless ...
busterrr3x Posted November 1, 2020 Author Posted November 1, 2020 56 minutes ago, Werner said: If you cannot make sure or simply do not think that your system is clean than the whole discussion is kind a pointless ... Thanks. IMHO, I think that people "think" their system is clean & free of malware, but no one really knows for sure since there are certainly undetectable backdoors that can be placed on someone's system, including linux. "Hope for the best, prepare for the worst".
busterrr3x Posted November 1, 2020 Author Posted November 1, 2020 1 hour ago, NicoD said: The writers of the malware would need to target Linux OS and filesystem. Always possible, but very unlikely. With computers nothing is secure except when you read/write all the code yourself. And even then it'll be full of errors About every Windows computer online is unsafe since Windows is closed sourced. You don't know what is happening behind the scenes. You can't know what a program does after you install it. With Linux there are a lot of people checking the code to see if nobody put anything malitious in it. But installing software and choosing the source is still your responsibillity. Would you agree with this: "I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. " -----?? Thanks.
xwiggen Posted November 2, 2020 Posted November 2, 2020 21 hours ago, busterrr3x said: Would you agree with this: "I have been told countless times that if malware were to write to my .img (file/image) while it sat in my download's folder, and then I ran the checksum, that the checksum would be inaccurate. " -----?? Thanks. It's not a checksum, it's a cryptographic hash (SHA). If you're able to change the image and keep the same hash, you've found a weakness in the SHA algorithm because it's not bruteforceable in our lifetime.
xwiggen Posted November 2, 2020 Posted November 2, 2020 The fingerprint is a crypto hash over the public key which makes it easier to identify due to the smaller size.
busterrr3x Posted November 3, 2020 Author Posted November 3, 2020 step 1: # download public key from the database gpg --keyserver ha.pool.sks-keyservers.net --recv-key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 step 2: # perform verification gpg --verify Armbian_5.18_Armada_Debian_jessie_3.10.94.img.xz.asc To help me understand better, I would like to break down my lack of understanding into simple questions, one at a time. Thank you. My understanding is that step #2 is used to show whether or not the image I downloaded is the "real image made/sent out by the developers/ software engineers". 1) Is this correct? And the sha256sum shows if this image has been modified in any way. ******* 2) But what command is used to show that the .asc signature is the authentic signature ? >>>>>>>>>>>> I'm going to guess and say the following: compare the fingerprint obtained from the first command below with the fingerprint obtained from the 2nd command below and see if they match. If they match, then the ".asc" file is authentic. "gpg --verify name.asc” & “gpg --fingerprint pubkey-code ID"
xwiggen Posted November 4, 2020 Posted November 4, 2020 After you've imported the public key with step 1: % gpg --verify Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz.asc gpg: assuming signed data in 'Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz' gpg: Signature made Thu 03 Sep 2020 04:20:28 PM CEST gpg: using RSA key DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: Good signature from "Igor Pecovnik <igor@armbian.com>" [unknown] gpg: aka "Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF00 FAF1 C577 104B 50BF 1D00 93D6 889F 9F0E 78D5 What it says is Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz is signed by Igor Pecovnik. If any bit is flipped in the xz after being signed (after download or modified on server) verification will fail. The only weakness in this is the public key (as shown by WARNING above); you have to assume this is really Igor's pubkey and not compromised (but the keyserver's version and https://apt.armbian.com/apt/armbian.key match, the only thing more assuring would be if @Igor posts his fingerprint). You can trust this key as follows to remove the warning message; % gpg --edit-key 93D6889F9F0E78D5 gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: undefined validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> gpg> trust pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: undefined validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/93D6889F9F0E78D5 created: 2015-03-16 expires: never usage: SC trust: ultimate validity: unknown sub rsa4096/9D465D88C70F53E4 created: 2015-03-16 expires: never usage: E [ unknown] (1). Igor Pecovnik <igor@armbian.com> [ unknown] (2) Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com> Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> save Key not changed so no update needed Hope this helps
busterrr3x Posted November 5, 2020 Author Posted November 5, 2020 19 hours ago, xwiggen said: What it says is Armbian_20.08.1_Zeropi_bionic_current_5.8.5.img.xz is signed by Igor Pecovnik. If any bit is flipped in the xz after being signed (after download or modified on server) verification will fail. Thank you. #1- So then what is the difference between "verifying with the .asc" & "comparing checksums"? >>> If the checksum only tells you if the download was modified while being downloaded and not whether it is the authentic image - it doesn't make sense that igor's checksum would be valid and the image is not an authentic image. #2 - Aren't we getting igor's fingerprint by running one of the commands above? #3- dead link: https://apt.armbian.com/apt/armbian.key
xwiggen Posted November 5, 2020 Posted November 5, 2020 https://apt.armbian.com/armbian.key if the image is signed by Igor's key then it is an 'authentic' image. If signature verification fails due whatever reason (be it modification afterwards) the image is not authentic. The SHA hash only verifies the image but not who creates the SHA hash, for this you have signature verification. So, if either SHA, image or asc file are maliciously altered on server, you still have signature verification to verify it's an authentic image (which fail in case of modification, because it requires access to Igor's key to sign). The fingerprint we can read from the public key, but in the end we have no guarantee the pubkey is Igor's; for this ideally you'd like to check the fingerprint in person to verify the pubkey with a post-it. But it's not necessary really, at this point we can safely assume the key's Igor's and should it ever be compromised the key will be revoked. Read up on public key cryptography, the system is pretty locked down secure as it is.
Recommended Posts