Debian Installation :: "Signing Keys" / Verify The File With MD-5, SHA-256?
Mar 31, 2011
Anyone attempting to install Debian Squeeze from CD-1, or Debian-live DVD will want to know how to verify the file with MD-5, SHA-256 and (available for some versions only) SHA-512 checksums of the iso images, using the appropriate signing key. But there are no instructions that I can find in the Debian CD FAQ, which simply points users at the archive keyring. Now according to this message, as of 9 Feb 2011 the Debian Squeeze archive signing key has fingerprint 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
The Debian signing key website gives the archive signing key as the master key, and (this addresses the problem I raised elsewhere) even makes it available via https. That sounds good! Just one problem: the detached signatures for files such as url
which gives the SHA-256 sum for url
have been signed with a different key, which has fingerprint DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
No wonder I am confused! And it seems that I may not be the only one; others seem to be confused also.
If no-one at the Debian mailing list can explain what is going on, I have little hope that anyone here will be able to clear this up, but I'll ask anyway: what are all the Debian related GPG keys and where do you find them all? is it true that there are different keys needed to verify CD iso images and debs? (And... what else?) where do you go to obtain all the lastest Debian keys via https? (This is important as it can hinder MITM attacks by lone crackers, assorted crooks, maybe even state actors, etc.; the "Comodogate" story provides clear evidence that there are people or organizations interested in mounting MITM attacks on persons downloading open-source software). in particular, it is sometimes convenient to use a live-CD to download an iso image (for example, when you no longer trust the system you are trying to upgrade!) and then one wants to use GPG to check the file with the checksum, so one needs to quickly locate and import into the GPG keyring of the (temporary) live-CD session the correct key; so where can I find the CD-signing key availalble via https? shouldn't the CD FAQ explain all this?
Initially I had a problem installing restricted extras. However, it appears the problem is more than a media problem, so I moved my thread here. I copied over what I thought the relevant code was from my previous thread. Anyone have ideas on how I can fix this?
In the kde realm, with the dolphin file browser, I can open a terminal in whatever folder is in the gui by using the shift and f4 keys. I'd like to be able to accomplish the same in gnome with the nautilus file browser but can't figure out how to do same. So far I have to open a terminal and then cd to the desired folder. Or do I have to use some other file browser and which one?
I have been trying to figure out some way of installing Squeeze with some assurance that the new installation won't be pwned from Day One--- and so far I have had no success. Even worse, I have been having some strange problems using SSL in my existing Lenny installation which has been further hampering my efforts. And which may be consistent with the hypothesis that I am in fact being subjected to an on-going MITM attack when I try to install Squeeze over the net. This possibility has encouraged me to keep trying to take reasonable steps to ensure that key binaries in my forthcoming Squeeze have not been tampered with by the time I finish the initial installation. I am seeking steps that can be taken by an average user willing to follow directions written by an expert user.
I found a very interesting recent Debian Security mailing list thread which articulates some of the same concerns that I tried to express several weeks ago. The scenarios which concern Naja Melan and myself (and ???) should not simply be dismissed as too implausible to be worth trying to prevent. I think Melan's thread is rather prescient in view of "Comodogate":http://arstechnica.com/security/news/20 ... estion.ars https://www.eff.org/deeplinks/2011/03/i ... lent-https http://www.wired.com/threatlevel/2011/0 ... ompromise/ http://www.theregister.co.uk/2011/03/23 ... forgeries/ http://blogs.comodo.com/it-security/dat ... ompromise/ http://www.techeye.net/security/firefox ... rtificatesOne of the fake certs acquired by the bad guys would have enabled them to mount a MITM attack on anyone trying to install updates to Iceweasel/Firefox add-ons via addons.mozilla.org, which I think certainly suggests that the alleged state actor intended to tamper with at least some software.
(EDIT: important new developments in that story:http://erratasec.blogspot.com/2011/03/c ... festo.html http://www.thetechherald.com/article.ph ... y-attacker http://www.theregister.co.uk/2011/03/28 ... aks_cover/ http://arstechnica.com/security/news/20 ... o-hack.arsBriefly, an anon who claims to be Iranian and who claims to have acted alone, and who suggests that he has some connection with political dissidents inside Iran, has claimed to have been the Comodo affiliate cracker. At least one pentester finds the claim plausible. It woudl explain several aspects of the breach which did not appear consistent with Comodo's conclusion that the breach was sponsored by the Iranian government.)
I'm using Openbox, and I'm working on some scripts to automatically change several things at once (wallpaper, theme, idesk icons, wbar, etc), and I've started with a simple script for changing the wallpaper. I have three different scripts, each one connected to a different wallpaper. The scripts are in my /usr/bin file, so I just have to type the script name and it goes. Trouble is, I've tried assigning it to a keybinding in Openbox's rc.xml, and I can't seem to get them to work.
It's supposed to make it so I type ctrl+F10 to switch to a steampunk wallpaper I have. I can do the script from the command prompt, but I can't get the keybinding to work. Anybody know why? Will Openbox not allow for scripts to be in the rc.xml file?
I know the who belongs to the IP address that created the file. (is there any way to verify what IP address created what file?) My concern is that it did not come from the address specified. I found this in /tmp/udp.pl.
I'm looking for some way to verify if a user login (for a Debian system) is correct, without actually logging in. My optimal solution would take a candidate username and password as arguments, and (say) return 1 if the username and password are a valid login on the system, and return 0 if it is not. The language used is not really important. (maybe... comparing a hash of the password to the one stored in /etc/shadow? -- but I have no idea how these hashing algorithms work or how to implement them)
Is there an easy way to do this? Security isn't a *huuuuge* concern, as this will be used in a web app that is only available to our local LAN.
I'm trying to install Ubuntu 10.10 on a computer that's already running Windows Vista. I used the Wubi installer and it seemed to go through the installation fine (using the desktop, amd64 iso file). After rebooting, I get the dual boot option. However, on Ubuntu start-up, I get a display with the message stating Verifying Installation Files. It seems to go through some verification, but then it gets stuck. I see a bunch of lines with the words "ubuntu ubiquity" with hexadecimal values and regular words. The last hexadecimal values to appear are: 7f2698c50d8e, 7f2698fca815; the last regular word is "_target".
If I quit out of the verification, I am able to get onto the desktop area, but a message appears stating a parted_server crash occured. Also, my wireless connection doesn't work, but I suspect I need to install a driver.
I want to verify that serial port libraries are installed in my system.I know that it is installed at /usr/local/lib. But I dont know what all files are to be present in there, so to ensure that the same is installed properly. Iam using suse 11.1.
I just downloaded the "Fedora-11-i686-Live-KDE.iso" and "Fedora-11-i686-Live.iso". I want to check if the downloaded files correct or not. I can use a tool to get the md5 sum of the downloaded files. But I want to compare them with the original ones.
i tried to install f13 from live cd and failed. i have 2 questions. i do not understand how to setup partitions according to scottro's message. It says you need small ext3-formatted /boot partion and a ext4-formatted root partition. Does this configuration have to be setup before you boot into the live cd? If so, please tell me how to set this up. my pc is pentium d with 2 hard drives. The master hd is has xp, ubuntu8.04, and swap partitions. I would like to use one-half of the slave drive for f13.
Second question. I would like to be able to verify download of fedora-13-i686.iso. I downloaded it to my xp partition and installed Windows MD5summer. Where or how do i get the md5 file for this iso file?
I have had to ditch ubuntu after 4 happy years as their 10.04 release was crazily resource hungry on my humble machine. Installed F13 smoothly and without any problems and so far it doesn't appear to be as resource hungry as ubuntu. One thing I have not been able to find in either gnome preferences or administration is where to set it to go straight to desktop without messing around with passwords and stuff.
Recently jumped from Ubuntu to Fedora 12 over the weekend, has been quite the bumpy ride. Though fun of course. But I'm having trouble coming to a solution for this problem, that started today. When signing into both Empathy or Pidgin (only with msn account) they both just hang on the white screen inactive... I say "inactive" the program hasn't frozen I just cannot be signed in. Also, in Pidgin at the bottom, next to where it shows your status, it has;
I am interested in signing up to the Amazon EC2 service with EBS. I have never used a unmanaged vps before, but I know how to use the command line etc. There are some basic packs on there to use, with basic LAMP stacks. But I would like to ask about how do I:
Upgrade a lamp stack? - someone mentioned yum, but what is this? how easy is it to use? is it enough? secure the lamp stack? - assuming I have no idea of linux security, can you give me a list or something of things I need to consider so I can begin the search (or just cover the steps would be awesome!) My website just uses php and mysql, so thats all i'll need. If you have any other tips on this,
Is there any way to protect a bash script with a digital signature, so that it can't be executed if it has been meddled with? Or, if this is not possible for bash scripts, is it possible for any other type of scripts (Python, Perl?) in Linux?
Running graphical software update, fc13. Attached are screenshots, which appear in sequence. The first seems to be asking if I trust the source, Adobe. (The Help for this window says I can go to the adobe website to confirm details of the signing key, which I will do if there is not a simpler fix.) If I respond in affirmative to the first window I get the failure window, second shot, with traceback.
I have configured squid 2.5 stable 6. I can browse any website. I can even use msn messenger but I cannot use yahoo messenger. I have also set the http proxy settings in preference for yahoo messenger but still it does not sign in.
I don't know if this is a configuration issue or a hardware issue, but I have a Kinesis Advantage USB keyboard and for some reason the F3-F5 keys aren't responding as they used to. They don't respond to anything and, when I tried using F5 on Emacs, it said <XF86AudioNext> is undefined, so I guess it's a weird mapping problem.
Any idea how I could remap them to the original meaning?
I have two computers running Debian Squeeze. I'm trying to set up the public keys for them so that I don't need to use passwords to log in. As far as I know, I did the same thing for both, however only one is working.Here is the connection output for eachBroken:
Code: OpenSSH_5.1p1 Debian-5+b1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config
This is not a programming question and this is why I am asking it here.I tested the program "dc" for cursor keys behaviour keys and the system responded by printing strange "^[[A" to the screen instead of doing what cursor keys should do. I am thinking that, I have some package missing that is making interactive CLI programs to misprint characters to the screen.Does anyone know what I need to install, because I must assume, programs in Stable must behave properly.