Revision of Verify Trisquel Download from Tue, 03/21/2023 - 21:33
The revisions let you track differences between multiple versions of a post.
This wiki assumes we already have GPG and curl installed on our computer.
Otherwise, to install GPG and curl, open your Terminal and run:
sudo apt-get install curl gnupg
1. Verify GPG by local user
The Trisquel GPG key is installed at a system level, so you need to add it to the user that will verify the key.
First we need to make sure the GPG ID we will be using is the correct one as we'll be assigning absolute trust, Trisquel's images are signed with the main key B138CA450C05112F or at Aramo's release with F5DAAAF74AD4C938.
We can confirm it belongs to trisquel with:
$ apt-key finger B138CA450C05112F
pub rsa4096 2017-01-07 [SC]
6036 4C98 69F9 2450 421F 0C22 B138 CA45 0C05 112F
uid [unknow] Trisquel GNU/Linux
sub rsa4096 2017-01-07 [E]
$ apt-key finger F5DAAAF74AD4C938
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
pub rsa4096 2022-10-19 [SC]
D24D DAC9 226D 5BA5 E9F3 BED3 F5DA AAF7 4AD4 C938
uid [ unknown] Trisquel GNU/Linux Archive Automatic Signing Key (11/aramo) <name at domain>
Now that we are sure the GPG ID is the correct one, we add it to the local user gpg keys:
$ gpg --keyserver pgp.mit.edu --recv-keys B138CA450C05112F
For the Trisquel 11.0 Aramo's release ISOs;
curl -s https://cdimage.trisquel.info/trisquel-images/trisquel-archive-signkey.gpg| gpg --import
Now we apply absolute trust,
$ echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key B138CA450C05112F trust
$ echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key F5DAAAF74AD4C938 trust
2. Downloading files
Download in the same directory both files iso and key.
trisquel_10.0.1_amd64.iso
trisquel_10.0.1_amd64.iso.asc
trisquel_11.0_amd64.iso
trisquel_11.0_amd64.iso.asc
3. Confirm signatures
At this point we have the parent key (1st step), the iso file and the iso file key (2nd step), now opening a terminal in the directory where are the iso and key, we can check with:
$ gpg --verify trisquel_10.0.1_amd64.iso.asc
gpg: assuming signed data in 'trisquel_10.0.1_amd64.iso'
gpg: Signature made Thu 26 May 2022 14:14:24 CEST
gpg: using RSA key 60364C9869F92450421F0C22B138CA450C05112F
gpg: Good signature from "Trisquel GNU/Linux <name at domain>" [ultimate]
$ gpg --verify trisquel_11.0_amd64.iso.asc
gpg: assuming signed data in 'trisquel_11.0_amd64.iso'
gpg: Signature made Sun Mar 19 00:30:46 2023 UTC
gpg: using RSA key D24DDAC9226D5BA5E9F3BED3F5DAAAF74AD4C938
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Trisquel GNU/Linux Archive Automatic Signing Key (11/aramo) <name at domain>" [ultimate]
4. Verify SHA256
We can get the .sha256 and .md5 files from the /Trisquel-images/ page:
1) Navigate to: http://cdimage.trisquel.info/trisquel-images/sha256sum.txt and take note of the string for your appropriate .iso
2) Run the following in a terminal: sha256sum trisquel_(editionhere).iso
3) The SHA256 hash should match the one on the document.
--
Legacy:
MD5 hash has been deprecated in favor of SHA256.
To verify the MD5:
1) Open the .md5 file and take note of the string of text you see.
2) Run the following in a terminal: md5sum trisquel_(editionhere).iso
3) The string should match.
Once we have completed the verification successfully we can proceed to creating a boot media.
---
An alternative method is to download the trisquel-archive-signkey.gpg file and run: gpg --import trisquel-archive-signkey.gpg
This will allow you to import the key without having to connect to a keyserver. Useful for Tor users.
Tip: If downloading from torrent via Transmission-GTK you may use "Verify Local Data" to correct any corrupt data from a download.