• "key not certified with a trusted signature"


    Hello there. I’ve been wanting to spread my wings a little and try some new linux distros. I started with Ubuntu and then Mint Cinnamon/MATE about a year ago, so I’m a level 3 out of 22,000 linux user. It took me like 30 minutes to register for these forums because Noscript was not having any of it. I’m much better at Noscript tweaking than linux! This site has a lot of js saturation. Oof, I’ll live… So, do I click “Ask a Question” to post something? Or compose? Or New Topic. This doesn’t have to be so pretty, it’s a forum, my friends.

    I am just wondering if the following iso verification is normal, I’ve not seen this message with other isos I’ve verified:

    [code]~/Downloads $ md5sum antergos-17.9-x86_64.iso
    8bedb5ae398c1d768b7414402532960f antergos-17.9-x86_64.iso
    // matches site’s md5

    ~/Downloads $ gpg --verify antergos-17.9-x86_64.iso.sig antergos-17.9-x86_64.iso
    gpg: Signature made Tue 05 Sep 2017 12:14:56 AM PDT using RSA key ID A1AA7A1D
    gpg: Can’t check signature: public key not found

    ~/.gnupg $ gpg --keyserver pgp.mit.edu --recv-keys A1AA7A1D
    gpg: requesting key A1AA7A1D from hkp server pgp.mit.edu
    gpg: key A1AA7A1D: public key “Antergos Build Server (Automated Package Build System) [email protected]” imported
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: next trustdb check due at 2019-03-11
    gpg: Total number processed: 1
    gpg: imported: 1 (RSA: 1)

    gpg --verify antergos-17.9-x86_64.iso.sig antergos-17.9-x86_64.iso
    gpg: Signature made Tue 05 Sep 2017 12:14:56 AM PDT using RSA key ID A1AA7A1D
    gpg: Good signature from "Antergos Build Server (Automated Package Build System) [email protected]"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 24B4 4561 4FAC 0718 91ED CE49 CDBD 406A A1AA 7A1D
    [/code]

  • This probably doesn’t answer your question but since no one had said anything.

    Usually just check the sha512 checksum and if this lines up trust an ISO. Am making an assumption that the message above saying the key is not signed by a trusted signature is a similar situation to an SSL certificate not being signed by a so called trusted authority.

  • @banterghost said in "key not certified with a trusted signature":

    gpg --verify antergos-17.9-x86_64.iso.sig antergos-17.9-x86_64.iso

    i have never tested gpg…
    i simply use md5sum iso_name and compare with the site’s hash.

    Antergos (default OS) - WIN10 (abandoned)
    I3wm - Mate desktop
    AMD - A4 7300 Radeon graphics
    16 GB ram
    HD 1 TB
    Linux newbie since 06/2016

  • @schnappi said in "key not certified with a trusted signature":

    This probably doesn’t answer your question but since no one had said anything.

    Usually just check the sha512 checksum and if this lines up trust an ISO. Am making an assumption that the message above saying the key is not signed by a trusted signature is a similar situation to an SSL certificate not being signed by a so called trusted authority.

    Thank you both and sorry for the late-ish reply. It is widely recommended to use SHA512 over md5 (or with) to verify, as md5 is said to be very insecure by comparison. I didn’t even think to sha*sum check the ISO, so used to following rules on installation sites. I didn’t think this was an option with the sig file provided, I now know the sig is the equivalent of the gpg file found on https://linuxmint.com/verify.php. Linux Mint comes with a sha512.txt and a gpg file. Antergos has a .sig file to verify the authenticity of the signature. What I see here is a failure to authenticate in 2 of 3 tests. The md5 matches fine.

    When I signed on to Ubuntu Gnome, my first linux experience ever, it was right around the mass public exposure of “Dirty Cow”, the script kiddies were in full gear, my neighbor was doing aircrack ng or wireshark meddling on my garbage ISP “gateway” router which had a zero-day backdoor announced on the same month that I installed linux (pretty sure, almost entirely sure this guy was doing weird stuff on the local wifi), and my Ubuntu forum account was hacked, its password changed, and much worse. It was generally a very unpleasant experience.

    So, I’m just going to conclude that somehow I downloaded a compromised or invalid build of this OS. By the looks of this, I do not have a valid download. Is this a correct appraisal?

    @villa ~/Downloads $ sha512sum antergos-17.9-x86_64.iso.sig
    
    1042699b2c42692880eaa0e0c3e4e5d89267639dc792e75dbed829ef3424a8d3d7b714b41e5186b4ee164bb922106a8d38b279bf629adf76e329d9a8dd508852  antergos-17.9-x86_64.iso.sig
    
    @villa ~/Downloads $ sha512sum -b antergos-17.9-x86_64.iso
    
    6970c8353b4f49b25d6e7ef4270e3f05b7d81724cd74b2f4ef4186f6174689f97d20ab134178bc39d70f37b707463d2bfe727de777e8bd6d2e76eda223dd013d *antergos-17.9-x86_64.iso
    
  • @banterghost
    Antergos uses md5 not sha512
    so md5sum antergos-17.9-x86_64.iso
    About still using md5 was explained already in an old post (don’t remember where), perhaps @lots-0-logs could give the link for you to check…

    Antergos (default OS) - WIN10 (abandoned)
    I3wm - Mate desktop
    AMD - A4 7300 Radeon graphics
    16 GB ram
    HD 1 TB
    Linux newbie since 06/2016

  • @fernandomaroto said in "key not certified with a trusted signature":

    @banterghost
    Antergos uses md5 not sha512
    so md5sum antergos-17.9-x86_64.iso
    About still using md5 was explained already in an old post (don’t remember where), perhaps @lots-0-logs could give the link for you to check…

    Thank you for your reply. For now I’ll keep this guy on ice until I feel better/more secure about stuff. I’m going to install openSUSE for the first time as a new exploratory distro, maybe I will run Antergos off VB just to check it out. Thank you for all of your help.

  • antergos-17.9-x86_64.iso file will have a different checksum than antergos-17.9-x86_64.iso.sig since they are different files.

    Here is the md5 checksum of antergos-minimal-17.9-x86_64.iso
    4aabd30b9e0676f50e9d78f5aac1805f

    Here is the sha512 checksum of antergos-minimal-17.9-x86_64.iso
    12fdac2fd8c6e5cc79073e47e97a3ba22d6e9cb449dad15bc5cb2e02c501b9e4947150f3b0bad5bfb17d53202e0ef60d6d683642db191ade1e80c200a366d996

    This is the mimimal iso checksum so it’s different than what you downloaded but if you download the minimal iso and it matches with the above its okay.

    Tried OpenSuse and love the logo, mascot, theme, and colors more than any other Linux distribution but a few issues. First it uses KDE by default which isn’t that big of a deal. Biggest deal is that it forces a root account to be used by default instead of using sudo for main user and the main user after install is not added to sudo group.

  • @schnappi I’ll download the other iso as well, thanks for posting the sha512sum. One thing that is perhaps confusing to newer users like myself is that the file sizes indicated by the site differ greatly from what I downloaded. I have a 1.94gb file called antergos-17.9-x86_64.iso.

    The site download page says it is 1.7gb, but when I tried to download it again, it was an 1.8gb file. I understand the rolling releases must fluctuate in size, but it’s enough to make one want to confirm the validity of a download. Perhaps I have not been exposed to Linux long enough to take these things in stride, I’m a bit overly cautious perhaps.

    My first DL of full release
    1944256512 Sep 9 01:15 antergos-17.9-x86_64.iso

    What antergos says:
    File Details
    Name: antergos-17.9-x86_64.iso
    Size: 1.7G
    MD5 Sum: 8bedb5ae398c1d768b7414402532960f
    Signature: antergos-17.9-x86_64.iso.sig

    0_1507208988952_antergospingpong.png

    Also, and I mean this as no disrespect to the hard work of the graphic designers or the look of the site, which is very nice, but would it be possible or is there available a version of the forum with less javascript layers and megasuper forum blasting? The auth/cloudfare stuff I get is necessary, but I tend to enjoy a minimal amount of javascript bonking when it comes to security, and have had difficulties getting on here without enabling and tweaking stuff I would rather not. Maybe I am too simple a man for the big city of Antergos. :owl: there’s a lot of emoji though, that is neat.

signature10 trusted2 certified1 key13 Posts 8Views 384
Log in to reply