Revision of Verify Trisquel Download from Fri, 10/07/2022 - 13:29
The revisions let you track differences between multiple versions of a post.
This wiki assumes we already have GPG installed on our computer.
Otherwise, to install GPG, open your Terminal and run:
sudo apt-get install gnupg
1. Trusting by local user
The Trisquel GPG key is installed at a system level, so you need to add it to the user that will verify the key.
First we need to make sure the GPG ID we will be using is the correct one as we'll be assigning absolute trust, Trisquel's images are signed with the main key B138CA450C05112F.
We can confirm it belongs to trisquel with:
$ apt-key finger B138CA450C05112F
pub rsa4096 2017-01-07 [SC]
6036 4C98 69F9 2450 421F 0C22 B138 CA45 0C05 112F
uid [unknow] Trisquel GNU/Linux
sub rsa4096 2017-01-07 [E]
Now that we are sure the GPG ID is the correct one, we add it to the local user gpg keys:
$ gpg --keyserver pgp.mit.edu --recv-keys B138CA450C05112F
Now we apply absolute trust,
$ echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key B138CA450C05112F trust
2. Downloading files
Download in the same directory both files iso and key.
trisquel_10.0.1_amd64.iso
trisquel_10.0.1_amd64.iso.asc
3. Confirm signatures
At this point we have the parent key (1st step), the iso file and the iso file key (2nd step), now opening a terminal in the directory where are the iso and key, we can check with:
$ gpg --verify trisquel_10.0.1_amd64.iso.asc
gpg: assuming signed data in 'trisquel_10.0.1_amd64.iso'
gpg: Signature made Thu 26 May 2022 14:14:24 CEST
gpg: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpg: Good signature from "Trisquel GNU/Linux <name at domain>" [ultimate]
4. Verify SHA256
We can get the .sha256 and .md5 files from the /Trisquel-images/ page:
1) Navigate to: http://cdimage.trisquel.info/trisquel-images/sha256sum.txt and take note of the string for your appropriate .iso
2) Run the following in a terminal: sha256sum trisquel_(editionhere).iso
3) The SHA256 hash should match the one on the document.
--
Legacy:
MD5 hash has been deprecated in favor of SHA256.
To verify the MD5:
1) Open the .md5 file and take note of the string of text you see.
2) Run the following in a terminal: md5sum trisquel_(editionhere).iso
3) The string should match.
Once we have completed the verification successfully we can proceed to creating a boot media.
---
An alternative method is to download the trisquel-archive-signkey.gpg file and run: gpg --import trisquel-archive-signkey.gpg
This will allow you to import the key without having to connect to a keyserver. Useful for Tor users.
Tip: If downloading from torrent via Transmission-GTK you may use "Verify Local Data" to correct any corrupt data from a download.
