downloaded FC6, how to - Redhat

This is a discussion on downloaded FC6, how to - Redhat ; I downloaded Fedora-6, but how to verify the signature? I cross posted this because nobody seems to be talking about it. Every says check the checksums, but skips on checking the signature??? .... maybe more help in alt.security.pgp, but linux.redhat.install ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: downloaded FC6, how to

  1. downloaded FC6, how to

    I downloaded Fedora-6, but how to verify the signature?
    I cross posted this because nobody seems to be talking about it. Every
    says check the checksums, but skips on checking the signature???
    .... maybe more help in alt.security.pgp, but linux.redhat.install is where
    I went first, and want to raise awareness there (mine too)... and they
    should know where to get the keys/signatures!

    Ok, so I know how to run sha1sum on the ISOs and verify them
    sha1sum *.iso
    and the ckecksums match so I got no corruption... but how do I verify that
    signature to verify this is really from Fedora (and not from satan)?

    # gpg --verify SHA1SUM.txt
    gpg: Signature made Wed Oct 18 15:34:54 2006 CDT using DSA key ID 4F2A6FD2
    gpg: Can't check signature: public key not found

    # gpg --fetch-keys http://fedora.redhat.com/About/security/4F2A6FD2.txt
    gpg: key 4F2A6FD2: public key "Fedora Project " imported
    gpg: Total number processed: 1
    gpg: imported: 1
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

    .... Now google sees a few other people talking about this issue, but at
    most I see people saying ... finger-prints match so it must be ok. BUT
    I'm running Fedora-5... I should have a good key.. did one expire or
    something? It should be easier and inspire more confidence then this.

    Am I missing something?

    #===> $ cat SHA1SUM.txt
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    834fd761b9c0a5dc550d10d97307dac998103a68 FC-6-i386-rescuecd.iso
    cc503d99c9d736af9052904a6ab14931b0850078 FC-6-i386-disc1.iso
    3051710e6b2f1d17a14ede0ebb74761c29cda954 FC-6-i386-disc2.iso
    5357ce21f8766db385b25923216a430b694bca5d FC-6-i386-disc3.iso
    d6133ab5ccf19431c14fd2ad85bce03c9834ef87 FC-6-i386-disc4.iso
    6722f95b97e5118fa26bafa5b9f622cc7d49530c FC-6-i386-DVD.iso
    22327af62d6376916e209b0c4934540e14d5664a FC-6-i386-disc5.iso
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)

    iD8DBQFFNo/utEJp0E8qb9IRAsf7AJ9ZqiDlKqJfAh8g5QHyDMmPOzNbTACfb yGw
    hB8bkLBT+6ANW6y8iBmlxz8=
    =O/Le
    -----END PGP SIGNATURE-----

  2. Re: downloaded FC6, how to

    On Mon, 13 Nov 2006 22:30:45 -0500, Mike Anonymous Coward wrote:

    > I downloaded Fedora-6, but how to verify the signature?

    $ gpg --verify SHA1SUM.txt
    gpg: Signature made Wed 18 Oct 2006 04:34:54 PM EDT using DSA key ID 4F2A6FD2
    gpg: Good signature from "Fedora Project "
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2

    The signature verifies ok. I'm not sure from your message if you
    were just missing the --verify option, or if you're questioning
    how to decide whether or not to trust the key.

    Given that the key is from the fedora.redhat.com website, unless you
    think their site has been hacked, it's probably pretty safe to trust.

    The developers, could sign the key, and put their keys on the key
    servers, but unless you knew one of them well enough, to verify
    their key, that wouldn't really be much help. Given the purpose
    of the key, I'd be satisfied, simply because it's from their website.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  3. Re: downloaded FC6, how to

    On Mon, 13 Nov 2006 23:51:54 -0500, David W. Hodgins wrote:

    > On Mon, 13 Nov 2006 22:30:45 -0500, Mike Anonymous Coward wrote:
    >
    >> I downloaded Fedora-6, but how to verify the signature?

    > $ gpg --verify SHA1SUM.txt
    > gpg: Signature made Wed 18 Oct 2006 04:34:54 PM EDT using DSA key ID 4F2A6FD2
    > gpg: Good signature from "Fedora Project "
    > gpg: WARNING: This key is not certified with a trusted signature!
    > gpg: There is no indication that the signature belongs to the owner.
    > Primary key fingerprint: CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2
    >
    > The signature verifies ok. I'm not sure from your message if you
    > were just missing the --verify option, or if you're questioning
    > how to decide whether or not to trust the key.
    >
    > Given that the key is from the fedora.redhat.com website, unless you
    > think their site has been hacked, it's probably pretty safe to trust.
    >
    > The developers, could sign the key, and put their keys on the key
    > servers, but unless you knew one of them well enough, to verify
    > their key, that wouldn't really be much help. Given the purpose
    > of the key, I'd be satisfied, simply because it's from their website.
    >
    > Regards, Dave Hodgins



    My point is... how do you know that key is from fedora?
    ....what? Because of the email address in it?
    Or maybe this is un-spoofable and crypto is not really that useful?
    > $ gpg --fetch-keys http://fedora.redhat.com/About/security/4F2A6FD2.txt


    That's why it says
    > gpg: There is no indication that the signature belongs to the owner.


    What about a key signing authority?
    And getting that key signed by one... after all if they
    are publishing software on a planetary scale and it might be worth the
    bother... to prevent impostors with crypto keys anyone can make.

    AND I would guess they did, for just that reason.
    But I cant tell. Is it so?
    My crypto knowledge is mostly theoretical not practical, so I suspect I'm
    missing something. Maybe not?

    There could be multiple copies of this key out there,
    with different signatures... and maybe I got a meager copy?
    I would hope so, but I don't see how to get a better copy... signed by
    many more trust worthy signers... am I missing something there?
    I would guess fedora.redhat.com would offer the best available?

    I guess people in alt.security.pgp cant really address those questions,
    but what about this one:
    .... are my signers... expired or something? What does this mean?

    $ gpg --list-sig 4F2A6FD2
    pub 1024D/4F2A6FD2 2003-10-27
    uid Fedora Project
    sig 3 4F2A6FD2 2003-10-27 Fedora Project
    sig 3 DB42A60E 2003-10-27 [User ID not found]
    sig 8DF56D05 2003-10-28 [User ID not found]
    sig 71656E68 2004-02-13 [User ID not found]
    sig 188CB7C9 2005-01-06 [User ID not found]
    sig 2048C528 2004-03-30 [User ID not found]
    sig 220A3F8F 2004-05-17 [User ID not found]
    sig 11E60E88 2004-08-07 [User ID not found]
    sig 003E1D9D 2004-08-07 [User ID not found]
    sig FAF6AFE3 2004-08-07 [User ID not found]
    sig 2A74F90D 2004-08-07 [User ID not found]
    sig 7BAC7F6C 2004-10-23 [User ID not found]
    sig 4892CA9A 2004-12-06 [User ID not found]
    sig 044584B5 2005-01-06 [User ID not found]
    sig 429AC6B6 2005-02-12 [User ID not found]
    sig 635C408A 2005-03-23 [User ID not found]
    sig EADA7C59 2005-04-13 [User ID not found]
    sig 74DF4D6B 2005-07-14 [User ID not found]
    sig 30B94B5C 2006-05-09 [User ID not found]
    sig B84B8090 2006-08-17 [User ID not found]
    sig 1 9299C587 2005-06-17 [User ID not found]
    sig 2 2A7559D5 2004-11-09 [User ID not found]
    sig 2 CF4655CF 2003-12-15 [User ID not found]
    sig 2 BE950472 2004-05-17 [User ID not found]
    sig 2 071ED426 2005-01-25 [User ID not found]
    sig 2 669E0FA3 2005-01-25 [User ID not found]
    sig 3 BB4B29A7 2003-12-03 [User ID not found]
    sig 3 A8F02EF5 2004-10-21 [User ID not found]
    sig 3 5A2457CF 2005-06-02 [User ID not found]
    sig 3 D950C647 2004-01-20 [User ID not found]
    sig 3 02FF71B2 2004-02-15 [User ID not found]
    sig 3 ADD4C933 2004-02-21 [User ID not found]
    sig 3 8B415BA9 2004-03-29 [User ID not found]
    sig 3 DC29E554 2004-03-29 [User ID not found]
    sig 3 4DE85EF8 2004-05-23 [User ID not found]
    sig 3 3791C60A 2005-03-03 [User ID not found]
    sig 3 R A403ECA0 2004-02-23 [User ID not found]
    sub 1024g/FB939E34 2003-10-27
    sig 4F2A6FD2 2003-10-27 Fedora Project

    Should I not be able to goto a keyserver and lookup these keys?
    The fedora key should be WELL known.
    http://pgp.mit.edu/ and search for 4F2A6FD2
    Public Key Server -- Error
    No matching keys in database
    or (since I dont know what I'm doing) search for
    CAB4 4B99 6F27 744E 8612 7CDF B442 69D0 4F2A 6FD2
    Public Key Server -- Error
    No matching keys in database
    .... since it is a public key server I thought.. well, I'll just submit
    that key (the beauty of public key crypto)... but I still cant find it on
    that server. I must be doing it wrong?

  4. Re: downloaded FC6, how to

    Mike Anonymous Coward wrote:
    > I guess people in alt.security.pgp cant really address those
    > questions, but what about this one:
    > ... are my signers... expired or something? What does this mean?
    >
    > $ gpg --list-sig 4F2A6FD2
    > pub 1024D/4F2A6FD2 2003-10-27
    > uid Fedora Project
    > sig 3 4F2A6FD2 2003-10-27 Fedora Project
    > sig 3 DB42A60E 2003-10-27 [User ID not found]
    > sig 8DF56D05 2003-10-28 [User ID not found]
    > sig 71656E68 2004-02-13 [User ID not found]

    ....

    The signers' keys aren't in your keyring. Import the keys to see the
    information.

    > Should I not be able to goto a keyserver and lookup these keys?


    Yes, you can do that.

    > The fedora key should be WELL known.
    > http://pgp.mit.edu/ and search for 4F2A6FD2


    Use the key server at http://wwwkeys.pgp.net/ and prefix the key ID
    with "0x", e.g.0xDB42A60E

    --
    Markku Kolkka
    markku.kolkka@iki.fi



  5. Re: downloaded FC6, how to

    On Wed, 15 Nov 2006 05:10:13 -0500, Mike Anonymous Coward wrote:

    > My point is... how do you know that key is from fedora?
    > ...what? Because of the email address in it?


    Because you got it directly from their website.

    > That's why it says
    >> gpg: There is no indication that the signature belongs to the owner.


    The above message simply means I have not signed it, to confirm
    I believe it's from fedora. If I sign it, that message goes away.

    > What about a key signing authority?


    Different type of keys, and different software required to check
    the keys, and the signed messages. More difficult for the end
    user to use.

    > And getting that key signed by one... after all if they
    > are publishing software on a planetary scale and it might be worth the
    > bother... to prevent impostors with crypto keys anyone can make.


    You would not only have to generate a key with their email address
    (easy to do), but you'd have to have the same keyid, as theirs is
    well known, and post your fake key, to their webserver, or succeed
    in a man in the middle attack, against someone trying to download
    the key, from their website (not so easy).

    Keep in mind, why they are using gpg. As I understand it, the
    signing of the text files, containing the SHA1, or MD5 sums, is
    primarily to ensure the sums themselves, have not been corrupted,
    during download. Similar with the signing of the rpm packages.

    Yes there are steps they could take, to build the trust level of
    the keys. For whatever reason, those who have signed the key,
    have chosen not to publish their own keys, on the regular
    keyservers.

    Improving security is almost always a trade off with ease of
    use. The redhat team appear to have chosen to use gpg simply
    as another check, to prevent corruptted downloads from being
    used, not as a guarantee, that the packages are from a trusted
    source. Again, to provide that level of trust, the main key
    would have to be signed by the developers, and you would either
    have to know one of the developers, or a signer of their key,
    well enough to trust them, to only sign keys they know, are
    held by trustworthy people.

    Also, keep in mind, rpm, and gpg use different keyrings. You
    may well have already had the key (generated in 2003), on your
    rpm keyring, but didn't have it on your gpg keyring, hence the
    need to import it from the website.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  6. Re: downloaded FC6, how to

    On Wed, 15 Nov 2006 14:18:27 -0500, "David W. Hodgins"
    wrote:

    >On Wed, 15 Nov 2006 05:10:13 -0500, Mike Anonymous Coward wrote:
    >
    >> My point is... how do you know that key is from fedora?
    >> ...what? Because of the email address in it?

    >
    >Because you got it directly from their website.
    >



    Websites can be hacked. Happens all the time.


+ Reply to Thread