Is this normal?

11 replies [Last post]
s1lv3r
Offline
Joined: 10/29/2017

Hi everyone, i tried to download trisquel8 today, i downloaded md5sum file and the iso,but when i try to verify the iso this happen:

gpg --keyserver keys.gnupg.net --recv-keys B4EFB9F38D8AEBF1
gpg: key B4EFB9F38D8AEBF1: 5 signatures not checked due to missing keys
gpg: key B4EFB9F38D8AEBF1: "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

gpg --verify trisquel_8.0_amd64.iso.asc trisquel_8.0_amd64.iso
gpg: Signature made lun 19 giu 2017 05:53:40 CEST
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

gpg --keyserver-options auto-key-retrieve --verify trisquel_8.0_amd64.iso.asc
gpg: assuming signed data in 'trisquel_8.0_amd64.iso'
gpg: Signature made lun 19 giu 2017 05:53:40 CEST
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: key B4EFB9F38D8AEBF1: 5 signatures not checked due to missing keys
gpg: key B4EFB9F38D8AEBF1: public key "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

Why there are 5 more keys? and where i can find this keys?

akito
Offline
Joined: 05/10/2017

I do not know the 5 signatures but if it says "gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key)" then the file: trisquel_8.0_amd64.iso that you downloaded may be corrupt or modified by an adversary since it does fail gpg verification.
You can should also compute the MD5sum.
to compute the md5 sum of trisquel iso:
$ md5sum ./trisquel_8.0_amd64.iso

to display the md5 from the download page md5 checksum file:
$ cat trisquel_8.0_amd64.iso.md5

s1lv3r
Offline
Joined: 10/29/2017

i checked the md5sum:

md5sum trisquel_8.0_amd64.iso && cat trisquel_8.0_amd64.iso.md5
a7671224b081734f81d1de5e95b252e5 trisquel_8.0_amd64.iso
a7671224b081734f81d1de5e95b252e5 trisquel_8.0_amd64.iso

maybe the download is corrupt, i try to donwload the iso again

s1lv3r
Offline
Joined: 10/29/2017

Again error:

gpg --verify trisquel_8.0_amd64.iso.asc trisquel_8.0_amd64\(1\).iso
gpg: Signature made lun 19 giu 2017 05:53:40 CEST
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

s1lv3r
Offline
Joined: 10/29/2017

i downloaded trisquel 7 too and the iso is ok

gpg --verify trisquel_7.0_amd64.iso.asc trisquel_7.0_amd64.iso
gpg: Signature made dom 02 nov 2014 19:31:46 CET
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: Good signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E6C2 7099 CA21 965B 734A EA31 B4EF B9F3 8D8A EBF1

sha256sum trisquel_7.0_amd64.iso && cat trisquel_7.0_amd64.iso.sha256
ec5be445f9f27b5cace42bc7c454e1a26bf414492da89873cc80dd906fdd073b trisquel_7.0_amd64.iso
ec5be445f9f27b5cace42bc7c454e1a26bf414492da89873cc80dd906fdd073b trisquel_7.0_amd64.iso

s1lv3r
Offline
Joined: 10/29/2017

i deleted all the files and downloaded all again, but the problem persist

gpg --verify trisquel_8.0_amd64.iso.asc trisquel_8.0_amd64.iso
gpg: Signature made lun 19 giu 2017 05:53:40 CEST
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

s1lv3r
Offline
Joined: 10/29/2017

I downloaded the iso from here http://jenkins.trisquel.info/makeiso/iso/ and the .asc file here http://jenkins.trisquel.info/makeiso/iso/20170618/ because there is no .asc file in the first link.
I'm doing something bad?

jxself
Offline
Joined: 09/13/2010

"I'm doing something bad?"

Yes; they will never match.

The files at http://jenkins.trisquel.info/makeiso/iso/ have no GPG signature, so there is nothing for you to verify against.

Using the .asc from anything else will always fail 100% of the time because it's not for that file.

s1lv3r
Offline
Joined: 10/29/2017

Yep you are right, i'm retarded xD now i see my mistake

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010
s1lv3r
Offline
Joined: 10/29/2017

gpg --import trisquel-archive-signkey.gpg
gpg: key B4EFB9F38D8AEBF1: "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" not changed
gpg: key B138CA450C05112F: public key "Trisquel GNU/Linux <name at domain>" imported
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1

gpg --verify trisquel_8.0_amd64.iso.asc trisquel_8.0_amd64.iso
gpg: Signature made lun 19 giu 2017 05:53:40 CEST
gpg: using DSA key B4EFB9F38D8AEBF1
gpg: BAD signature from "Trisquel GNU/Linux (Trisquel GNU/Linux signing key) <name at domain>" [unknown]

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

gnutastyc apparently has the correct process (at least it seems to work as well for vltr, two posts below): https://trisquel.info/fr/forum/testing-trisquel-8-upgrade-process#comment-124586