A client is getting ready for NIAP certification. Part of this is verifying an ISO signature.
The steps are
- Download SHA256SUMS and SHA256SUMS.gpg
- Get the key used for the signature
- Verify the signature
- Check the ISO with sha256sum
Download sums and signature (SHA256SUMS and SHA256SUMS.gpg) from a mirror and save in a suitable working directory.
Find out what key was used to issue the signature:
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS OUTPUT:
gpg: Signature made Mon 09 Dec 2019 03:54:15 PM EST gpg: using RSA key 1A5D6C4C7DB87C81 gpg: Good signature from "UEC Image Automatic Signing Key email@example.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D2EB 4462 6FDD C30B 513D 5BB7 1A5D 6C4C 7DB8 7C81
Obtain the public key from the key server
gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 1A5D6C4C7DB87C81
gpg: key 1A5D6C4C7DB87C81: 2 signatures not checked due to missing keys gpg: key 1A5D6C4C7DB87C81: "UEC Image Automatic Signing Key firstname.lastname@example.org" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Verify the key fingerprints:
gpg --keyid-format long --list-keys --with-fingerprint 1A5D6C4C7DB87C81
pub rsa4096/1A5D6C4C7DB87C81 2009-09-15 [SC] Key fingerprint = D2EB 4462 6FDD C30B 513D 5BB7 1A5D 6C4C 7DB8 7C81 uid [ unknown] UEC Image Automatic Signing Key email@example.com
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
Check the ISO and grep through sums automatically
sha256sum -c <(grep <iso filename> SHA256SUMS)
<iso filename>: OK
2 thoughts on “Code signing.”
Awesome post! Keep up the great work! 🙂
Great content! Super high-quality! Keep it up! 🙂
Comments are closed.