« previous next »
Pages: [1]

Author Topic: Ubuntu, verifying PGP keys in Kleopatra on Windows  (Read 1270 times)

chagzuki

Ubuntu, verifying PGP keys in Kleopatra on Windows
« on: 09 January, 2018, 12:43:12 pm »
I'm starting to pay attention to security and intend to run Ubuntu from an external drive for certain things. I've hardly used Linux before and have no command line knowledge, so for the time being it seems like checking the integrity of downloaded software in Windows is the easiest thing for me to do, including the Ubuntu installation file. And I think I understand the basics of how to do this, indeed I did it last year for other software... have kinda forgotten in the meantime. For some reason the .gpg files on the Ubuntu site don't seem to import into Kleopatra, or rather when I try to import them I'm told that there are no PGP keys detected. Maybe I'm an idiot and have no idea what I'm doing... but I can't see why there's a problem.
Logged

philip

Re: Ubuntu, verifying PGP keys in Kleopatra on Windows
« Reply #1 on: 09 January, 2018, 01:06:32 pm »
The gpg files in http://releases.ubuntu.com/16.04.3/ do not contain any keys, rather, they are signatures made with keys. For example

$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg:                using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg:                using RSA key D94AA3F0EFE21092
gpg: Can't check signature: No public key

I can't check the signatures because I don't have the relevant keys in my keyring. If I download the keys:

$ gpg --recv-keys 46181433FBB75451 D94AA3F0EFE21092

then I can verify the signature:

$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg:                using DSA key 46181433FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg:                using RSA key D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

That shows that the signatures are good, however it warns that I have not assigned any trust to the keys.  To do that I would need to verify the fingerprints do correspond to the Ubuntu keys.

Once I am happy with the signature I would need to calculate the SHA1 checksum of the ISO and compare with the value in the SHA1SUMS file.
Logged
Pages: [1]
« previous next »