How can I be sure that Source Forge has not modified the ISO when I download it? Many open source projects have a SHA256 has of their downloads directly on their HTTPS website which I compare against the download (I use 7-zip on Windows although their is probably a better solution). I see there is a "PGP key ID" and "Fingerprint for the Open Media Vault; do these serve the same purpose and how do I use them? This does not appear to be documented in the introductory videos at Installation and Setup Videos - Beginning, Intermediate and Advanced.
How to verify ISO download
-
- OMV 4.x
- Jonathan L
-
-
-
Every download folder contains the hashs of the ISO, e.g. https://sourceforge.net/projects/openmediavault/files/5.0.5/
-
Download the ISO,openmediavault_4.1.22-amd64.iso then download the hash. I choose openmediavault_4.1.22-amd64.iso.sha256 Then open the terminal and CD to your Downloads folder. type in "
sha1sum -b openmediavault_4.1.22-amd64.iso" and compare the the number in your terminal to the number listed for your ISO. -
Hey! how is it possible to check the progress of the sha1sum? (I'm checking a file that is 65GB )
-
I'm checking a file that is 65GB
Then something went wrong while downloading the ISO of OMV
Regarding the progress, you can check the man page of sha1sum.
-
Original poster again, still haven't figured this out.
Sorry, this is confusing because it's in reference to another piece of software that has the signature and other files available for download. Whereas OMV has
threetwo PGP key IDs and Fingerprints (but no signatures?) on the download page and not in a form that can be downloaded with the appropriate file names and extensions.Every download folder contains the hashs of the ISO, e.g. https://sourceforge.net/projects/openmediavault/files/5.0.5/
Download the ISO,openmediavault_4.1.22-amd64.iso then download the hash. I choose openmediavault_4.1.22-amd64.iso.sha256 Then open the terminal and CD to your Downloads folder. type in "
sha1sum -b openmediavault_4.1.22-amd64.iso" and compare the the number in your terminal to the number listed for your ISO.Having the hashes on SourceForge is not helpful since SourceForge could modify the signature files just as easily as the ISO files. A solution would be to have the the hashes (preferably SHA256) directly on the OMV HTTPS website.
-
Having the hashes on SourceForge is not helpful since SourceForge could modify the signature files just as easily as the ISO files. A solution would be to have the the hashes (preferably SHA256) directly on the OMV HTTPS website.
If you are going to be paranoid about sourceforge modifying checksums and ISO files, then you shouldn't trust the hoster of the omv https site either. Sourceforge has been around a long time and I think you should be able to trust it.
-
Perhaps so. However, Source Forge has had a not so great track record.
https://www.howtogeek.com/2187…forge-if-you-can-help-it/
Yes, I did read update at the top of that article that states Source Forge has been sold to a company that stopped the bad practices. But the fact that the Source Forge website did those practices still leaves a bad taste with me. My understanding of internet security is that you should trust as few entities as possible, and Source Forge is not one I particularly want to trust, especially when it comes to the operating system I want to put my personal files on. Even if I mostly trusted Source Forge, cross-checking that one source matches another source, would provide more assurance.
If you think I'm paranoid about checking the integrity of the ISO files, then why have the PGP information on the download page anyway (please don't take me negatively)?
If someone has a set of instructions on how to verify the ISO, that would be great!
-
Jonathan L
Hat das Label gelöst entfernt. -
If someone has a set of instructions on how to verify the ISO, that would be great!
fred@telescope ~/Downloads/omv files $ gpg --import openmediavault_5.6.13-amd64.iso.key
fred@telescope ~/Downloads/omv files $ gpg --sign-key D67506C878E08A94FD7E009424863F0C716B980B
fred@telescope ~/Downloads/omv files $ gpg --verify openmediavault_5.6.13-amd64.iso.asc openmediavault_5.6.13-amd64.iso
gpg: Signature made Wed 25 Aug 2021 03:56:54 PM EDT
gpg: using RSA key D67506C878E08A94FD7E009424863F0C716B980B
.
.
.
.
gpg: Good signature from "OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>" [full]
The filenames above in bold are the public key file, the detached signature file, and the iso image file available on the OMV Sourceforge download site.
-
However, Source Forge has had a not so great track record.
I agree not good but they were Windows packages and I have not seen any evidence that they have continued these practices or ever changed Linux ISOs.
If you think I'm paranoid about checking the integrity of the ISO files, then why have the PGP information on the download page anyway (please don't take me negatively)?
I do NOT think it is paranoid to check the integrity of ISO files. I just thought it was a little paranoid to believe the checksum and iso had been changed. omv-extras does a checksum test when downloading ISO files itself. gderf's instructions should prove the ISO has not been altered which means the checksum should be valid.
-
Thanks gderf!
Is this the expected output? There's some warnings in here that I don't see in your example. Did you just omit those?
Code
Alles anzeigenjonathan@jonathan:~/Downloads/OMV$ gpg --import openmediavault_5.6.13-amd64.iso.key gpg: key 24863F0C716B980B: 2 signatures not checked due to missing keys gpg: key 24863F0C716B980B: public key "OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found jonathan@jonathan:~/Downloads/OMV$ gpg --sign-key D67506C878E08A94FD7E009424863F0C716B980B pub rsa4096/24863F0C716B980B created: 2016-07-12 expires: never usage: SC trust: unknown validity: unknown sub rsa4096/273466D7E374134F created: 2016-07-12 expires: never usage: E [ unknown] (1). OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org> gpg: no default secret key: No secret key Key not changed so no update needed. jonathan@jonathan:~/Downloads/OMV$ gpg --verify openmediavault_5.6.13-amd64.iso.asc openmediavault_5.6.13-amd64.iso gpg: Signature made Wed 25 Aug 2021 02:56:54 PM CDT gpg: using RSA key D67506C878E08A94FD7E009424863F0C716B980B gpg: Good signature from "OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D675 06C8 78E0 8A94 FD7E 0094 2486 3F0C 716B 980B
I just thought it was a little paranoid to believe the checksum and iso had been changed. omv-extras does a checksum test when downloading ISO files itself.
From learning about the theory of electronic signatures, I think I understand there are 2 reasons to verify a download.
- To make sure the download was not corrupted by some non-engineered network glitch or incomplete download.
- To make sure the download is legitimate, truly unmodified from the trusted entity/person and not from a "man-in-the-middle" or other entity.
Downloading hash or signature files from SourceForge and comparing them to the ISO would take care of the first objective but not the second. I don't know, maybe I'm a bit paranoid, but I am wanting to learn how to do things the right way.
-
My post included lines that were only a single period. That indicates omitted content that wasn't relevant.
-
Downloading hash or signature files from SourceForge and comparing them to the ISO would take care of the first objective but not the second. I don't know, maybe I'm a bit paranoid, but I am wanting to learn how to do things the right way.
The second does confirm that but to spoof a sha256sum would require a very large budget. Pretty sure no one is targeting OMV. And I don't consider sourceforge to be a man in the middle. But if you feel better verifying the signature and learn something from it, I am all for it.
-
I don't get the point.
- There is no need to check for a broken download by cryptpgraphic means, a simple checksum / hash is enough, CRC, MD5, sha, ...
- If you want to make sure, the iso is created by the "right person" and not has been tampered with you have to verify the given key arainst it's hash from the openmediavaul website. and check the signature of the iso with this key.
So what else do you need? -
Unfortunately the use of PGP is not all that well disciplined.
In this case the iso file is PGP signed with a public key that is provided in the same manner as the file (in band).
If someone had the ability to modify the download directory content they could replace the file with something they altered and sign it with a PGP key they generated themselves. They would then provide that bogus public key along with the altered file and also modify the website where the PGP key fingerprint is posted to provide the fingerprint for the bogus key.
If you download and use that public key to verify the file all would seem to be good. But unless you somehow verify that the key used to sign the file actually belongs to who you think it does you might be fooled. Doing this properly requires verifying the authenticity of the key via a completely out of band method. How will you do this?
-
But the fingerprint of the key is published the omv website. / out of band.
-
But the fingerprint of the key is published the omv website. / out of band.
That isn't completely out of band. Picking up the phone and calling the key owner would be completely out of band. Or like we used to do in the beginning, we had face to face keysigning parties, and yes these things really used to happen.
I have been using PGP since 1994 - https://pgp.mit.edu/pks/lookup?search=fred+grayson&op=index
-
OK; if sourceforge and volkes website are compromised, we are out of luck. Or we spread the fingerprint by other means.
Not really out of band, but the more often the fingerprint is published, the harder to compromise.
You must be as old as i am, having had a compuserver mail address
-
Well, I don't use PGP to verify software file integrity anyway. The signing KeyIDs aren't people, they are things. If I check the IDs who signed the signing key, I don't personally know any of them either. If I continue further along the so called "web of trust" I don't know any of those people. So the software signing key remains an untrusted dead end making the process basically worthless to me.
What I do is check the 256sum to be sure a download isn't corrupted. And then I wait a while, and wait some more. If a package was trojaned it will be reported somewhere sooner rather than later and I will not have installed it as yet so no harm. But as far as OMV ISOs go, I haven't touched one since I started with v 2.x. I have always upgraded in place to the next version. And to do this I have to trust the repos. If I can't do that I wouldn't be running the software in the first place.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!