Verifying and checksumming new release is somewhat cumbersom

john doe johndoe65534 at mail.com
Sat Nov 28 07:57:05 CET 2020


On 11/26/2020 9:10 PM, Werner Koch wrote:
> Hi,
>
> and thanks for asking.
>

Thanks for this.

To be sure that I understand you correctly, I took the liberty of
rewording your answers.

> On Thu, 26 Nov 2020 19:12, john doe said:
>
>> Is there a URL to download those sha1sums and those public keyss as  files?
>
> The problem with sha1sums is that a single publication would be easy to
> fake.  The only known countermeasure is to widely distribute them.  We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.
>

If I look at Debian (1) for example, the checksum file is gpg signed.
Assuming that I understand correctly, the Debian approach is not a safe
way to make the checksums available?propagate?

> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.
>

Even if the file would be gpg signed?

>> and for the public key I could do something like:
>>
>> $ wget <URL-OF-PUBLIC-KEYS>
>> $ gpg --import <PUBLIC-KEYS-FILES>
>> $ gpg --verify *.sig
>
> And please check the printed fingerprint against copies of the
> fingerprint distributed in the same way as the checksums.  The keys are
> also quite well connected in the Web-of-Trust, which can also help to to
> validate them.
>

You mean by checking if the  fingerprint of the downloaded keys match
the one listed on the web site?

> The advantage of the public keys and the fingerprints is that they do
> not change and thus you only need to validate them once once and sign
> the keys so that you can trust them in the future.
>

Okay, if the fingerprints matches I should sign the keys with mine.

>> I understand that for this last step I could also do:
>>
>> $ gpg --keyserver-options auto-key-retrieve veirfy *.sig
>
> Don't.  For verification always use
>
>     gpg --verify file.sig file
>

Okay, won't do that anymore.

> and check the output well.  If you need to automate this, use gpgv and
> put all the trusted signing keys into a dedicated keyring.  For
> automating this with gpg, I would suggest to write a gpgme based tool.
>

If I want to verify a new release,:
- Manually: take advantage of gpgv
- Unattended: use a wrapper around gpgme


Your input is much appriciated.

1)  https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/

--
John Doe



More information about the Gnupg-users mailing list