How to verify ISO download

  • How can I be sure that Source Forge has not modified the ISO when I download it? Many open source projects have a SHA256 has of their downloads directly on their HTTPS website which I compare against the download (I use 7-zip on Windows although their is probably a better solution). I see there is a "PGP key ID" and "Fingerprint for the Open Media Vault; do these serve the same purpose and how do I use them? This does not appear to be documented in the introductory videos at Installation and Setup Videos - Beginning, Intermediate and Advanced.

  • Original poster again, still haven't figured this out.

    Sorry, this is confusing because it's in reference to another piece of software that has the signature and other files available for download. Whereas OMV has three two PGP key IDs and Fingerprints (but no signatures?) on the download page and not in a form that can be downloaded with the appropriate file names and extensions.


    Every download folder contains the hashs of the ISO, e.g. https://sourceforge.net/projects/openmediavault/files/5.0.5/

    Download the ISO,openmediavault_4.1.22-amd64.iso then download the hash. I choose openmediavault_4.1.22-amd64.iso.sha256 Then open the terminal and CD to your Downloads folder. type in "
    sha1sum -b openmediavault_4.1.22-amd64.iso" and compare the the number in your terminal to the number listed for your ISO.



    Having the hashes on SourceForge is not helpful since SourceForge could modify the signature files just as easily as the ISO files. A solution would be to have the the hashes (preferably SHA256) directly on the OMV HTTPS website.

  • Having the hashes on SourceForge is not helpful since SourceForge could modify the signature files just as easily as the ISO files. A solution would be to have the the hashes (preferably SHA256) directly on the OMV HTTPS website.

    If you are going to be paranoid about sourceforge modifying checksums and ISO files, then you shouldn't trust the hoster of the omv https site either. Sourceforge has been around a long time and I think you should be able to trust it.

    omv 6.0.35-1 Shaitan | 64 bit | 5.15 proxmox kernel | plugins :: omvextrasorg 6.1.1 | kvm 6.1.22 | mergerfs 6.2 | zfs 6.0.11
    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Perhaps so. However, Source Forge has had a not so great track record.


    https://www.howtogeek.com/2187…forge-if-you-can-help-it/


    Yes, I did read update at the top of that article that states Source Forge has been sold to a company that stopped the bad practices. But the fact that the Source Forge website did those practices still leaves a bad taste with me. My understanding of internet security is that you should trust as few entities as possible, and Source Forge is not one I particularly want to trust, especially when it comes to the operating system I want to put my personal files on. Even if I mostly trusted Source Forge, cross-checking that one source matches another source, would provide more assurance.


    If you think I'm paranoid about checking the integrity of the ISO files, then why have the PGP information on the download page anyway (please don't take me negatively)?


    If someone has a set of instructions on how to verify the ISO, that would be great!

  • Jonathan L

    Removed the Label resolved
  • If someone has a set of instructions on how to verify the ISO, that would be great!


    fred@telescope ~/Downloads/omv files $ gpg --import openmediavault_5.6.13-amd64.iso.key


    fred@telescope ~/Downloads/omv files $ gpg --sign-key D67506C878E08A94FD7E009424863F0C716B980B


    fred@telescope ~/Downloads/omv files $ gpg --verify openmediavault_5.6.13-amd64.iso.asc openmediavault_5.6.13-amd64.iso

    gpg: Signature made Wed 25 Aug 2021 03:56:54 PM EDT

    gpg: using RSA key D67506C878E08A94FD7E009424863F0C716B980B

    .

    .

    .

    .

    gpg: Good signature from "OpenMediaVault.org (OpenMediaVault packages archive) <packages@openmediavault.org>" [full]


    The filenames above in bold are the public key file, the detached signature file, and the iso image file available on the OMV Sourceforge download site.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • However, Source Forge has had a not so great track record.

    I agree not good but they were Windows packages and I have not seen any evidence that they have continued these practices or ever changed Linux ISOs.

    If you think I'm paranoid about checking the integrity of the ISO files, then why have the PGP information on the download page anyway (please don't take me negatively)?

    I do NOT think it is paranoid to check the integrity of ISO files. I just thought it was a little paranoid to believe the checksum and iso had been changed. omv-extras does a checksum test when downloading ISO files itself. gderf's instructions should prove the ISO has not been altered which means the checksum should be valid.

    omv 6.0.35-1 Shaitan | 64 bit | 5.15 proxmox kernel | plugins :: omvextrasorg 6.1.1 | kvm 6.1.22 | mergerfs 6.2 | zfs 6.0.11
    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Thanks gderf!

    Is this the expected output? There's some warnings in here that I don't see in your example. Did you just omit those?



    I just thought it was a little paranoid to believe the checksum and iso had been changed. omv-extras does a checksum test when downloading ISO files itself.

    From learning about the theory of electronic signatures, I think I understand there are 2 reasons to verify a download.

    1. To make sure the download was not corrupted by some non-engineered network glitch or incomplete download.
    2. To make sure the download is legitimate, truly unmodified from the trusted entity/person and not from a "man-in-the-middle" or other entity.

    Downloading hash or signature files from SourceForge and comparing them to the ISO would take care of the first objective but not the second. I don't know, maybe I'm a bit paranoid, but I am wanting to learn how to do things the right way.

  • My post included lines that were only a single period. That indicates omitted content that wasn't relevant.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • Downloading hash or signature files from SourceForge and comparing them to the ISO would take care of the first objective but not the second. I don't know, maybe I'm a bit paranoid, but I am wanting to learn how to do things the right way.

    The second does confirm that but to spoof a sha256sum would require a very large budget. Pretty sure no one is targeting OMV. And I don't consider sourceforge to be a man in the middle. But if you feel better verifying the signature and learn something from it, I am all for it.

    omv 6.0.35-1 Shaitan | 64 bit | 5.15 proxmox kernel | plugins :: omvextrasorg 6.1.1 | kvm 6.1.22 | mergerfs 6.2 | zfs 6.0.11
    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I don't get the point.

    • There is no need to check for a broken download by cryptpgraphic means, a simple checksum / hash is enough, CRC, MD5, sha, ...
    • If you want to make sure, the iso is created by the "right person" and not has been tampered with you have to verify the given key arainst it's hash from the openmediavaul website. and check the signature of the iso with this key.


    So what else do you need?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Unfortunately the use of PGP is not all that well disciplined.


    In this case the iso file is PGP signed with a public key that is provided in the same manner as the file (in band).


    If someone had the ability to modify the download directory content they could replace the file with something they altered and sign it with a PGP key they generated themselves. They would then provide that bogus public key along with the altered file and also modify the website where the PGP key fingerprint is posted to provide the fingerprint for the bogus key.


    If you download and use that public key to verify the file all would seem to be good. But unless you somehow verify that the key used to sign the file actually belongs to who you think it does you might be fooled. Doing this properly requires verifying the authenticity of the key via a completely out of band method. How will you do this?

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

    Edited once, last by gderf ().

  • But the fingerprint of the key is published the omv website. / out of band.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • But the fingerprint of the key is published the omv website. / out of band.

    That isn't completely out of band. Picking up the phone and calling the key owner would be completely out of band. Or like we used to do in the beginning, we had face to face keysigning parties, and yes these things really used to happen.


    I have been using PGP since 1994 - https://pgp.mit.edu/pks/lookup?search=fred+grayson&op=index

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

  • OK; if sourceforge and volkes website are compromised, we are out of luck. Or we spread the fingerprint by other means.

    Not really out of band, but the more often the fingerprint is published, the harder to compromise.


    You must be as old as i am, having had a compuserver mail address :-)

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Well, I don't use PGP to verify software file integrity anyway. The signing KeyIDs aren't people, they are things. If I check the IDs who signed the signing key, I don't personally know any of them either. If I continue further along the so called "web of trust" I don't know any of those people. So the software signing key remains an untrusted dead end making the process basically worthless to me.


    What I do is check the 256sum to be sure a download isn't corrupted. And then I wait a while, and wait some more. If a package was trojaned it will be reported somewhere sooner rather than later and I will not have installed it as yet so no harm. But as far as OMV ISOs go, I haven't touched one since I started with v 2.x. I have always upgraded in place to the next version. And to do this I have to trust the repos. If I can't do that I wouldn't be running the software in the first place.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 6.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 16GB ECC RAM.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!