Debian Installation :: "Signing Keys" / Verify The File With MD-5, SHA-256?
Mar 31, 2011
Anyone attempting to install Debian Squeeze from CD-1, or Debian-live DVD will want to know how to verify the file with MD-5, SHA-256 and (available for some versions only) SHA-512 checksums of the iso images, using the appropriate signing key. But there are no instructions that I can find in the Debian CD FAQ, which simply points users at the archive keyring. Now according to this message, as of 9 Feb 2011 the Debian Squeeze archive signing key has fingerprint 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
The Debian signing key website gives the archive signing key as the master key, and (this addresses the problem I raised elsewhere) even makes it available via https. That sounds good! Just one problem: the detached signatures for files such as url
which gives the SHA-256 sum for url
have been signed with a different key, which has fingerprint DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
No wonder I am confused! And it seems that I may not be the only one; others seem to be confused also.
If no-one at the Debian mailing list can explain what is going on, I have little hope that anyone here will be able to clear this up, but I'll ask anyway: what are all the Debian related GPG keys and where do you find them all? is it true that there are different keys needed to verify CD iso images and debs? (And... what else?) where do you go to obtain all the lastest Debian keys via https? (This is important as it can hinder MITM attacks by lone crackers, assorted crooks, maybe even state actors, etc.; the "Comodogate" story provides clear evidence that there are people or organizations interested in mounting MITM attacks on persons downloading open-source software). in particular, it is sometimes convenient to use a live-CD to download an iso image (for example, when you no longer trust the system you are trying to upgrade!) and then one wants to use GPG to check the file with the checksum, so one needs to quickly locate and import into the GPG keyring of the (temporary) live-CD session the correct key; so where can I find the CD-signing key availalble via https? shouldn't the CD FAQ explain all this?
Initially I had a problem installing restricted extras. However, it appears the problem is more than a media problem, so I moved my thread here. I copied over what I thought the relevant code was from my previous thread. Anyone have ideas on how I can fix this?
I need to renew my SSL cert for my Mahara site and I follow the instructions below. But after I finish answering all the questions for the csr, I'm supposed to copy a portion of the cert into a web form. However I can't seem to find the server.csr so I can do this. Were this file goes?
Here is a step-by-step description:
Make sure OpenSSL is installed and in your PATH.
Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
$ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR by using:
In the kde realm, with the dolphin file browser, I can open a terminal in whatever folder is in the gui by using the shift and f4 keys. I'd like to be able to accomplish the same in gnome with the nautilus file browser but can't figure out how to do same. So far I have to open a terminal and then cd to the desired folder. Or do I have to use some other file browser and which one?
I know the who belongs to the IP address that created the file. (is there any way to verify what IP address created what file?) My concern is that it did not come from the address specified. I found this in /tmp/udp.pl.
I have been trying to figure out some way of installing Squeeze with some assurance that the new installation won't be pwned from Day One--- and so far I have had no success. Even worse, I have been having some strange problems using SSL in my existing Lenny installation which has been further hampering my efforts. And which may be consistent with the hypothesis that I am in fact being subjected to an on-going MITM attack when I try to install Squeeze over the net. This possibility has encouraged me to keep trying to take reasonable steps to ensure that key binaries in my forthcoming Squeeze have not been tampered with by the time I finish the initial installation. I am seeking steps that can be taken by an average user willing to follow directions written by an expert user.
I found a very interesting recent Debian Security mailing list thread which articulates some of the same concerns that I tried to express several weeks ago. The scenarios which concern Naja Melan and myself (and ???) should not simply be dismissed as too implausible to be worth trying to prevent. I think Melan's thread is rather prescient in view of "Comodogate":http://arstechnica.com/security/news/20 ... estion.ars https://www.eff.org/deeplinks/2011/03/i ... lent-https http://www.wired.com/threatlevel/2011/0 ... ompromise/ http://www.theregister.co.uk/2011/03/23 ... forgeries/ http://blogs.comodo.com/it-security/dat ... ompromise/ http://www.techeye.net/security/firefox ... rtificatesOne of the fake certs acquired by the bad guys would have enabled them to mount a MITM attack on anyone trying to install updates to Iceweasel/Firefox add-ons via addons.mozilla.org, which I think certainly suggests that the alleged state actor intended to tamper with at least some software.
(EDIT: important new developments in that story:http://erratasec.blogspot.com/2011/03/c ... festo.html http://www.thetechherald.com/article.ph ... y-attacker http://www.theregister.co.uk/2011/03/28 ... aks_cover/ http://arstechnica.com/security/news/20 ... o-hack.arsBriefly, an anon who claims to be Iranian and who claims to have acted alone, and who suggests that he has some connection with political dissidents inside Iran, has claimed to have been the Comodo affiliate cracker. At least one pentester finds the claim plausible. It woudl explain several aspects of the breach which did not appear consistent with Comodo's conclusion that the breach was sponsored by the Iranian government.)
I'm using Openbox, and I'm working on some scripts to automatically change several things at once (wallpaper, theme, idesk icons, wbar, etc), and I've started with a simple script for changing the wallpaper. I have three different scripts, each one connected to a different wallpaper. The scripts are in my /usr/bin file, so I just have to type the script name and it goes. Trouble is, I've tried assigning it to a keybinding in Openbox's rc.xml, and I can't seem to get them to work.
It's supposed to make it so I type ctrl+F10 to switch to a steampunk wallpaper I have. I can do the script from the command prompt, but I can't get the keybinding to work. Anybody know why? Will Openbox not allow for scripts to be in the rc.xml file?
I'm trying to install Ubuntu 10.10 on a computer that's already running Windows Vista. I used the Wubi installer and it seemed to go through the installation fine (using the desktop, amd64 iso file). After rebooting, I get the dual boot option. However, on Ubuntu start-up, I get a display with the message stating Verifying Installation Files. It seems to go through some verification, but then it gets stuck. I see a bunch of lines with the words "ubuntu ubiquity" with hexadecimal values and regular words. The last hexadecimal values to appear are: 7f2698c50d8e, 7f2698fca815; the last regular word is "_target".
If I quit out of the verification, I am able to get onto the desktop area, but a message appears stating a parted_server crash occured. Also, my wireless connection doesn't work, but I suspect I need to install a driver.
I just downloaded the "Fedora-11-i686-Live-KDE.iso" and "Fedora-11-i686-Live.iso". I want to check if the downloaded files correct or not. I can use a tool to get the md5 sum of the downloaded files. But I want to compare them with the original ones.
I want to verify that serial port libraries are installed in my system.I know that it is installed at /usr/local/lib. But I dont know what all files are to be present in there, so to ensure that the same is installed properly. Iam using suse 11.1.
i tried to install f13 from live cd and failed. i have 2 questions. i do not understand how to setup partitions according to scottro's message. It says you need small ext3-formatted /boot partion and a ext4-formatted root partition. Does this configuration have to be setup before you boot into the live cd? If so, please tell me how to set this up. my pc is pentium d with 2 hard drives. The master hd is has xp, ubuntu8.04, and swap partitions. I would like to use one-half of the slave drive for f13.
Second question. I would like to be able to verify download of fedora-13-i686.iso. I downloaded it to my xp partition and installed Windows MD5summer. Where or how do i get the md5 file for this iso file?
I have had to ditch ubuntu after 4 happy years as their 10.04 release was crazily resource hungry on my humble machine. Installed F13 smoothly and without any problems and so far it doesn't appear to be as resource hungry as ubuntu. One thing I have not been able to find in either gnome preferences or administration is where to set it to go straight to desktop without messing around with passwords and stuff.
Recently jumped from Ubuntu to Fedora 12 over the weekend, has been quite the bumpy ride. Though fun of course. But I'm having trouble coming to a solution for this problem, that started today. When signing into both Empathy or Pidgin (only with msn account) they both just hang on the white screen inactive... I say "inactive" the program hasn't frozen I just cannot be signed in. Also, in Pidgin at the bottom, next to where it shows your status, it has;
I am interested in signing up to the Amazon EC2 service with EBS. I have never used a unmanaged vps before, but I know how to use the command line etc. There are some basic packs on there to use, with basic LAMP stacks. But I would like to ask about how do I:
Upgrade a lamp stack? - someone mentioned yum, but what is this? how easy is it to use? is it enough? secure the lamp stack? - assuming I have no idea of linux security, can you give me a list or something of things I need to consider so I can begin the search (or just cover the steps would be awesome!) My website just uses php and mysql, so thats all i'll need. If you have any other tips on this,
Running graphical software update, fc13. Attached are screenshots, which appear in sequence. The first seems to be asking if I trust the source, Adobe. (The Help for this window says I can go to the adobe website to confirm details of the signing key, which I will do if there is not a simpler fix.) If I respond in affirmative to the first window I get the failure window, second shot, with traceback.
Is there any way to protect a bash script with a digital signature, so that it can't be executed if it has been meddled with? Or, if this is not possible for bash scripts, is it possible for any other type of scripts (Python, Perl?) in Linux?
I have configured squid 2.5 stable 6. I can browse any website. I can even use msn messenger but I cannot use yahoo messenger. I have also set the http proxy settings in preference for yahoo messenger but still it does not sign in.
I don't know if this is a configuration issue or a hardware issue, but I have a Kinesis Advantage USB keyboard and for some reason the F3-F5 keys aren't responding as they used to. They don't respond to anything and, when I tried using F5 on Emacs, it said <XF86AudioNext> is undefined, so I guess it's a weird mapping problem.
Any idea how I could remap them to the original meaning?
I would like to encrypt and decrypt zip file using OpenSSL keys. I have generated the keys and can encrypt normal text files but if I try to encrypt the zip file, I get error: "Error reading input Data" Following is what I have done.
I'm running Debian (Squeeze) and I have a toshiba portege m700. It has five buttons on the front just under the screen, which are the only ones accessible when you flip the screen over into tablet mode. One of them is for rotating the screen, and another is for switching to external display. I want to remap the remaining three to control, alt and super so that I can use shortcuts with the stylusThe problem is, when I used showkey to find out the key codes, I found out that each button generates more than one key code:Button 1:
key 126 press >> super_r, although this is distinct from the actual super key (125) key 7 press >> 6 key 7 release key 126 release
I've been trying to find out which jabber/XMPP clients out there automatically sign messages with openpgp you send but documentation on that has been spotty. Could you tell me a. if you know any clients that can easily sign and encrypt all outgoing messages and b. should I worry if a client is only able to sign presence and not messages?
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code: -a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.