You are not logged in.

Pages: 1

#1 2017-07-04 22:31:57

esuhl
Member
From: UK
Registered: 2009-09-16
Posts: 140

[SOLVED] GPG: How to import key to verify Arch installation media

I've always struggled to understand how to use PGP keys and signatures to verify files, despite reading the documentation (repeatedly).  I'm using GPG via the command line in Windows (but it works the same in GNU/Linux, right?).

I've downloaded the Arch installation media .iso file, and the .sig (PGP signature file).  I understand I need to import a public key too, but I ran this command anyway with the results shown:

G:\Downloads\+torrents>gpg --verify  archlinux-2017.07.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2017.07.01-x86_64.iso'
gpg: Signature made 07/01/17 08:19:25 GMT Daylight Time using RSA key ID 9741E8AC
gpg: Can't check signature: No public key

As expected, I seem to need a public key.  I found this page of Arch Linux Master Signing Keys, and imported the master keys with the commands below.  (Please tell me if this was a stupid thing to do!)

https://www.archlinux.org/master-keys/

G:\Downloads\+torrents>gpg --recv-keys 0x6AC6A4C2
...
G:\Downloads\+torrents>gpg --recv-keys 0x824B18E8
...
(and so on for the other master keys in the same column of the table)

But I still get the same results as in the top code panel when I try to verify again with GPG.

Sorry if this is a stupid question, but what do I need to do to find and import the right key(s) to verify the Arch installation media?

-----

As a side note, how can I place trust in any public key I find (given that I won't be going to any meet-ups with Arch gurus!)?

If I get the key from a public source, but this key continues to validate future Arch releases, and there is no indication that the key is being misused or has been compromised... eventually my trust in this key should logically increase, even though I haven't (necessarily) acquired it from a trustworthy source...?  Is that right...?

Thanks in advance for any tips! :-)

Last edited by esuhl (2017-07-04 22:41:29)

Offline

#2 2017-07-04 22:35:05

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,426
Website

Re: [SOLVED] GPG: How to import key to verify Arch installation media

It is documented on the wiki: https://wiki.archlinux.org/index.php/Ca … lling_Arch

gpg --keyserver-options auto-key-retrieve --verify archlinux-<version>-dual.iso.sig

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2017-07-04 22:35:06

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [SOLVED] GPG: How to import key to verify Arch installation media

https://wiki.archlinux.org/index.php/Ca … lling_Arch

Edit - Damn you jasonwryan, you beat me to it by 1s smile

Last edited by Slithery (2017-07-04 22:36:17)

No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#4 2017-07-04 22:41:06

esuhl
Member
From: UK
Registered: 2009-09-16
Posts: 140

Re: [SOLVED] GPG: How to import key to verify Arch installation media

Aha!  Thank you both!  How did I miss that?!

Offline

#5 2020-11-24 19:15:55

pradtf
Member
Registered: 2009-06-10
Posts: 149

Re: [SOLVED] GPG: How to import key to verify Arch installation media

jasonwryan wrote:

It is documented on the wiki: https://wiki.archlinux.org/index.php/Ca … lling_Arch

gpg --keyserver-options auto-key-retrieve --verify archlinux-<version>-dual.iso.sig

this works very nicely of course, but i'm trying to understand just what happens here.

i get the following output:

schnell% gpg --keyserver-options auto-key-retrieve --verify archlinux-2020.11.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2020.11.01-x86_64.iso'
gpg: Signature made Sat 31 Oct 2020 11:42:16 PM PDT
gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: requesting key 7F2D434B9741E8AC from hkp server keys.gnupg.net
gpg: key 7F2D434B9741E8AC: public key "Pierre Schmitz <pierre@archlinux.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC

so as far as i can see, it gets the public key 7F2D434B9741E8AC because of the auto-key-retrieve and then checks the RSA key (primary key fingerprint) against the decoded (with the public key) version from the .sig file (which was downloaded).

since the RSAs match we get the message saying "Good signature ..."

however, we also get the WARNING because pierre has not setup a trusted signature?
so how does this relate to the suggestion in the wiki:
"Another method to verify the authenticity of the signature is to ensure that the public key's fingerprint is identical to the key fingerprint of the Arch Linux developer who signed the ISO-file" - we can't do this right?

is what i have understood above correct?

Last edited by pradtf (2020-11-24 19:22:28)

in friendship,
prad

Offline

#6 2020-11-24 20:41:07

tucuxi
Member
From: Switzerland
Registered: 2020-03-08
Posts: 291

Re: [SOLVED] GPG: How to import key to verify Arch installation media

pradtf wrote:

however, we also get the WARNING because pierre has not setup a trusted signature?

It just means that GPG was able to verify the signature's validity but you don't trust the signer's key.

Offline

Pages: 1

Board footer

Powered by FluxBB