Debian Installation :: "Signing Keys" / Verify The File With MD-5, SHA-256?
Anyone attempting to install Debian Squeeze from CD-1, or Debian-live DVD will want to know how to verify the file with MD-5, SHA-256 and (available for some versions only) SHA-512 checksums of the iso images, using the appropriate signing key. But there are no instructions that I can find in the Debian CD FAQ, which simply points users at the archive keyring. Now according to this message, as of 9 Feb 2011 the Debian Squeeze archive signing key has fingerprint 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA
The Debian signing key website gives the archive signing key as the master key, and (this addresses the problem I raised elsewhere) even makes it available via https. That sounds good! Just one problem: the detached signatures for files such as url
which gives the SHA-256 sum for url
have been signed with a different key, which has fingerprint DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
No wonder I am confused! And it seems that I may not be the only one; others seem to be confused also.
If no-one at the Debian mailing list can explain what is going on, I have little hope that anyone here will be able to clear this up, but I'll ask anyway: what are all the Debian related GPG keys and where do you find them all? is it true that there are different keys needed to verify CD iso images and debs? (And... what else?) where do you go to obtain all the lastest Debian keys via https? (This is important as it can hinder MITM attacks by lone crackers, assorted crooks, maybe even state actors, etc.; the "Comodogate" story provides clear evidence that there are people or organizations interested in mounting MITM attacks on persons downloading open-source software). in particular, it is sometimes convenient to use a live-CD to download an iso image (for example, when you no longer trust the system you are trying to upgrade!) and then one wants to use GPG to check the file with the checksum, so one needs to quickly locate and import into the GPG keyring of the (temporary) live-CD session the correct key; so where can I find the CD-signing key availalble via https? shouldn't the CD FAQ explain all this?
View 5 Replies (Posted: 2011-03-31 15:34)
Related Forum Messages For Linux category:
Ubuntu :: Archive Automatic Signing Keys 10.10?
Initially I had a problem installing restricted extras. However, it appears the problem is more than a media problem, so I moved my thread here. I copied over what I thought the relevant code was from my previous thread. Anyone have ideas on how I can fix this?
onoku@onoku-MacBook:~$ sudo apt-get update && sudo apt-get upgrade
[sudo] password for onoku:
Posted: May 14th, 2011
View 9 Replies!
Debian :: How To Verify The Squeeze CD-1 Iso
I have been trying to figure out some way of installing Squeeze with some assurance that the new installation won't be pwned from Day One--- and so far I have had no success. Even worse, I have been having some strange problems using SSL in my existing Lenny installation which has been further hampering my efforts. And which may be consistent with the hypothesis that I am in fact being subjected to an on-going MITM attack when I try to install Squeeze over the net. This possibility has encouraged me to keep trying to take reasonable steps to ensure that key binaries in my forthcoming Squeeze have not been tampered with by the time I finish the initial installation. I am seeking steps that can be taken by an average user willing to follow directions written by an expert user.
I found a very interesting recent Debian Security mailing list thread which articulates some of the same concerns that I tried to express several weeks ago. The scenarios which concern Naja Melan and myself (and ???) should not simply be dismissed as too implausible to be worth trying to prevent. I think Melan's thread is rather prescient in view of "Comodogate":http://arstechnica.com/security/news/20 ... estion.ars https://www.eff.org/deeplinks/2011/03/i ... lent-https http://www.wired.com/threatlevel/2011/0 ... ompromise/ http://www.theregister.co.uk/2011/03/23 ... forgeries/ http://blogs.comodo.com/it-security/dat ... ompromise/ http://www.techeye.net/security/firefox ... rtificatesOne of the fake certs acquired by the bad guys would have enabled them to mount a MITM attack on anyone trying to install updates to Iceweasel/Firefox add-ons via addons.mozilla.org, which I think certainly suggests that the alleged state actor intended to tamper with at least some software.
(EDIT: important new developments in that story:http://erratasec.blogspot.com/2011/03/c ... festo.html http://www.thetechherald.com/article.ph ... y-attacker http://www.theregister.co.uk/2011/03/28 ... aks_cover/ http://arstechnica.com/security/news/20 ... o-hack.arsBriefly, an anon who claims to be Iranian and who claims to have acted alone, and who suggests that he has some connection with political dissidents inside Iran, has claimed to have been the Comodo affiliate cracker. At least one pentester finds the claim plausible. It woudl explain several aspects of the breach which did not appear consistent with Comodo's conclusion that the breach was sponsored by the Iranian government.)
Posted: 2011-03-26 21:26
View 5 Replies!
Debian Multimedia :: Binding Scripts To Keys - Will Openbox Not Allow For Scripts To Be In The Rc.xml File
I'm using Openbox, and I'm working on some scripts to automatically change several things at once (wallpaper, theme, idesk icons, wbar, etc), and I've started with a simple script for changing the wallpaper. I have three different scripts, each one connected to a different wallpaper. The scripts are in my /usr/bin file, so I just have to type the script name and it goes. Trouble is, I've tried assigning it to a keybinding in Openbox's rc.xml, and I can't seem to get them to work.
Here's one of them:
It's supposed to make it so I type ctrl+F10 to switch to a steampunk wallpaper I have. I can do the script from the command prompt, but I can't get the keybinding to work. Anybody know why? Will Openbox not allow for scripts to be in the rc.xml file?
Posted: 2011-09-11 03:04
View 3 Replies!
Programming :: Verify User Login (for A Debian System) Correct Without Actually Logging In?
I'm looking for some way to verify if a user login (for a Debian system) is correct, without actually logging in. My optimal solution would take a candidate username and password as arguments, and (say) return 1 if the username and password are a valid login on the system, and return 0 if it is not. The language used is not really important. (maybe... comparing a hash of the password to the one stored in /etc/shadow? -- but I have no idea how these hashing algorithms work or how to implement them)
Is there an easy way to do this? Security isn't a *huuuuge* concern, as this will be used in a web app that is only available to our local LAN.
Posted: 07-25-2007, 02:16 PM
View 12 Replies!
Ubuntu Installation :: Does Not Complete Its Installation Verify?
I'm trying to install Ubuntu 10.10 on a computer that's already running Windows Vista. I used the Wubi installer and it seemed to go through the installation fine (using the desktop, amd64 iso file). After rebooting, I get the dual boot option. However, on Ubuntu start-up, I get a display with the message stating Verifying Installation Files. It seems to go through some verification, but then it gets stuck. I see a bunch of lines with the words "ubuntu ubiquity" with hexadecimal values and regular words. The last hexadecimal values to appear are: 7f2698c50d8e, 7f2698fca815; the last regular word is "_target".
If I quit out of the verification, I am able to get onto the desktop area, but a message appears stating a parted_server crash occured. Also, my wireless connection doesn't work, but I suspect I need to install a driver.
Posted: March 3rd, 2011
View 2 Replies!
Fedora Installation :: Configure Ext4 Partition And Verify Download?
i tried to install f13 from live cd and failed. i have 2 questions. i do not understand how to setup partitions according to scottro's message. It says you need small ext3-formatted /boot partion and a ext4-formatted root partition. Does this configuration have to be setup before you boot into the live cd? If so, please tell me how to set this up. my pc is pentium d with 2 hard drives. The master hd is has xp, ubuntu8.04, and swap partitions. I would like to use one-half of the slave drive for f13.
Second question. I would like to be able to verify download of fedora-13-i686.iso. I downloaded it to my xp partition and installed Windows MD5summer. Where or how do i get the md5 file for this iso file?
Posted: 5th June 2010, 03:54 PM
View 14 Replies!
Fedora :: How To Boot Up Without Signing In
I have had to ditch ubuntu after 4 happy years as their 10.04 release was crazily resource hungry on my humble machine. Installed F13 smoothly and without any problems and so far it doesn't appear to be as resource hungry as ubuntu. One thing I have not been able to find in either gnome preferences or administration is where to set it to go straight to desktop without messing around with passwords and stuff.
Posted: 2nd July 2010, 06:18 PM
View 3 Replies!
Fedora :: Pidgin And Empathy Not Signing Into Msn?
Recently jumped from Ubuntu to Fedora 12 over the weekend, has been quite the bumpy ride. Though fun of course. But I'm having trouble coming to a solution for this problem, that started today. When signing into both Empathy or Pidgin (only with msn account) they both just hang on the white screen inactive... I say "inactive" the program hasn't frozen I just cannot be signed in. Also, in Pidgin at the bottom, next to where it shows your status, it has;
"Available - Waiting for network connection"
Posted: 18th January 2010, 11:17 PM
View 3 Replies!
Server :: Signing Up To The Amazon EC2 Service With EBS?
I am interested in signing up to the Amazon EC2 service with EBS. I have never used a unmanaged vps before, but I know how to use the command line etc. There are some basic packs on there to use, with basic LAMP stacks. But I would like to ask about how do I:
Upgrade a lamp stack? - someone mentioned yum, but what is this? how easy is it to use? is it enough? secure the lamp stack? - assuming I have no idea of linux security, can you give me a list or something of things I need to consider so I can begin the search (or just cover the steps would be awesome!) My website just uses php and mysql, so thats all i'll need. If you have any other tips on this,
Posted: 01-09-2011, 08:02 AM
View 1 Replies!
Fedora :: Flash Plugin Signing Key - Cannot Update
Running graphical software update, fc13. Attached are screenshots, which appear in sequence. The first seems to be asking if I trust the source, Adobe. (The Help for this window says I can go to the adobe website to confirm details of the signing key, which I will do if there is not a simpler fix.) If I respond in affirmative to the first window I get the failure window, second shot, with traceback.
Posted: 11th August 2010, 11:22 PM
View 5 Replies!