• How to verify antergos signature


    Sorry for this very basic question. I have downloaded latest version of antergos …
    Name: antergos-2016.11.20-x86_64.iso
    Size: 1.7G
    MD5 Sum: c1d91bf2b9ba24463ea31000ee0ed20f
    Signature: antergos-2016.11.20-x86_64.iso.sig
    I checked the md5 and it’s ok, but how do I verify the signature? do I need to download public key from antergos? not sure how to do this, any help would be appreciated.

  • If there’s any of hash sums available - MD5, SHA1, SHA256, SHA384, SHA512 - then verifying the downloaded file with one of them is all that is neccessary and sufficient. There’s no need to verify download with the signature.

    There’s nothing easier than

    md5sum antergos-2016.11.20-x86_64.iso
    

    Signature verification is far more complicated.


    1. The basic syntax is:
    gpg --verify anyfile.ext.sig anyfile.ext
    

    For Antergos it looks like:

    gpg --verify antergos-2016.11.20-x86_64.iso.sig antergos-2016.11.20-x86_64.iso
    

    But it will fail on first run, because public key is missing:

    $ gpg --verify antergos-2016.11.20-x86_64.iso.sig antergos-2016.11.20-x86_64.iso
    gpg: directory '/home/just/.gnupg' created
    gpg: new configuration file '/home/just/.gnupg/dirmngr.conf' created
    gpg: new configuration file '/home/just/.gnupg/gpg.conf' created
    gpg: keybox '/home/just/.gnupg/pubring.kbx' created
    gpg: Signature made Sun 20 Nov 2016 20:13:53 MSK
    gpg:                using RSA key CDBD406AA1AA7A1D
    gpg: Can't check signature: No public key
    $
    

    It fails because

    gpg: Can't check signature: No public key
    

    1. So first we need to find a public key ID:

    The basic syntax is:

    gpg anyfile.ext.sig
    

    For Antergos it looks like:

    $ gpg antergos-2016.11.20-x86_64.iso.sig
    gpg: assuming signed data in 'antergos-2016.11.20-x86_64.iso'
    gpg: Signature made Sun 20 Nov 2016 20:13:53 MSK
    gpg:                using RSA key CDBD406AA1AA7A1D
    gpg: Can't check signature: No public key
    $
    

    The key ID is CDBD406AA1AA7A1D.


    1. Import the public key

    The basic syntax is:

    gpg --recv-key keyID
    

    For Antergos it looks like:

    $ gpg --recv-key CDBD406AA1AA7A1D
    gpg: /home/just/.gnupg/trustdb.gpg: trustdb created
    gpg: key CDBD406AA1AA7A1D: public key "Antergos Build Server (Automated Package Build System) <[email protected]>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1
    $
    

    The public key for “Antergos Build Serve…” was imported.


    1. Verifying a file with a signature

    We’re back at p.1.

    The basic syntax is:

    gpg --verify anyfile.ext.sig anyfile.ext
    

    If the second argument (the filename, anyfile.ext) is omitted, the gpg assumes it’s the same as signature’s filename without the .sig qualifier:

    gpg --verify anyfile.ext.sig
    

    For Antergos it looks like:

    $ gpg --verify antergos-2016.11.20-x86_64.iso.sig
    gpg: assuming signed data in 'antergos-2016.11.20-x86_64.iso'
    gpg: Signature made Sun 20 Nov 2016 20:13:53 MSK
    gpg:                using RSA key CDBD406AA1AA7A1D
    gpg: Good signature from "Antergos Build Server (Automated Package Build System) <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 24B4 4561 4FAC 0718 91ED  CE49 CDBD 406A A1AA 7A1D
    $
    

    What counts here is:

    gpg: assuming signed data in 'antergos-2016.11.20-x86_64.iso'
    

    gpg will check the downloaded ISO file.

    And for this ISO file:

    gpg: Good signature from "Antergos Build Server (Automated Package Build System) <[email protected]>"
    

    The downloaded file is correct, and we have a good signature for it.

    Regards

  • Thanks Just for your very helpful reply. I did check the md5 and it was correct but wondered about the .sig file.

    I will follow your instructions for the signature as it will help me to gain more knowledge of linux.

  • i have followed your instruction and everything looks correct …

    Verify Signature:

    [email protected] ~/Downloads $ gpg --verify antergos-2016.11.20-x86_64.iso.sig antergos-2016.11.20-x86_64.iso
    gpg: Signature made Sun 20 Nov 2016 17:13:53 GMT using RSA key ID A1AA7A1D
    gpg: Can't check signature: public key not found
    [email protected] ~/Downloads $
    

    Find public key ID:

    [email protected] ~/Downloads $ gpg antergos-2016.11.20-x86_64.iso.sig
    gpg: assuming signed data in `antergos-2016.11.20-x86_64.iso'
    gpg: Signature made Sun 20 Nov 2016 17:13:53 GMT using RSA key ID A1AA7A1D
    gpg: Can't check signature: public key not found
    [email protected] ~/Downloads $
    

    Import public key:

    [email protected] ~/Downloads $ gpg --recv-key A1AA7A1D
    gpg: requesting key A1AA7A1D from hkp server keys.gnupg.net
    gpg: key A1AA7A1D: public key "Antergos Build Server (Automated Package Build System) <[email protected]>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    [email protected] ~/Downloads $
    

    Verifying file with a signature:

    [email protected] ~/Downloads $ gpg --verify antergos-2016.11.20-x86_64.iso.sig antergos-2016.11.20-x86_64.iso
    gpg: Signature made Sun 20 Nov 2016 17:13:53 GMT using RSA key ID A1AA7A1D
    gpg: Good signature from "Antergos Build Server (Automated Package Build System) <[email protected]>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 24B4 4561 4FAC 0718 91ED  CE49 CDBD 406A A1AA 7A1D
    [email protected] ~/Downloads $
    

    Looks like I have a good signature. Your instructions worked perfectly, many thanks for your quick response, much appreciated.

    I have never used a distro based on Arch before, always been afraid to stray from the *buntu distros that I have been learning up till now. But hopefully I will pick up some new skill after I install.

    Quick question, does antergos have same grub as *buntu distro, is it ok to dual boot like other operating systems?

  • @hughparker1 said in How to verify antergos signature:


    Looks like I have a good signature…

    Don’t waste your time and efforts with signature verification. Checking with hash sums is more than reliable, much faster and easier.

    I have never used a distro based on Arch before, always been afraid to stray from the *buntu distros that I have been learning up till now…

    *buntu is like Windowz - doesn’t teach anything.

    Quick question, does antergos have same grub as *buntu distro,

    Yes, it does. Grub is distro-independent. It is the same for all distros. Though the commands to manage it vary from distro to distro.

    is it ok to dual boot like other operating systems?

    Yes, it is. On my computers Grub boots from 8 to 13 independent Linuxes.

  • @just said in How to verify antergos signature:

    @hughparker1 said in How to verify antergos signature:
    is it ok to dual boot like other operating systems?

    Yes, it is. On my computers Grub boots from 8 to 13 independent Linuxes.

    Thanks again for feedback. The grub commands I currently use in Linux Mint are …

    $ sudo nano /etc/grub.d/40_custom
    

    where I manually add a partition for OpenELEC which I use for streaming media and TV Shows…

    menuentry "OpenELEC.tv" {
       set root=(hd0,14)
       linux /KERNEL boot=/dev/sda14 disk=/dev/sda13 quiet
    }
    

    then I run…

    $ sudo update-grub
    

    and sometimes I use…

    $ sudo grub-install /dev/sda
    

    … if I want to put a different Linux OS in charge of the GRUB MENU

    are these commands any different in antergos ?

  • @hughparker1 Grub 2 configuration files are basically identical for all distros.

    The commands to install and update Grub 2 in Arch are different from those in Debian.

    I don’t use Grub 2 (I hate this bloated thingie), so don’t want to speak about it. If you need more help with it, please open a new topic. Otherwise we’re going too off-topic here.

    Cheers

  • OK will do. thanks again for your help with signature.

signature10 verify2 Posts 8Views 1968
Log in to reply