Friday, July 14, 2017

How To Verify iso Image After Download In Linux

I assume that you have downloaded the image / iso file in a folder. Navigate to the folder where the iso is. You have to get the public gpg key for fedora downloads.

[donato@archdesktop Downloads]$ ls
builds  debian-live--9.0.0-amd64-gnome  Fedora-Workstation-Live-x86_64-25  Fedora-Workstation-Live-x86_64-26
[donato@archdesktop Downloads]$ cd Fedora-Workstation-Live-x86_64-26
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls
Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ gpg --verify Fedora-Workstation-Live-x86_64-26-1.5.iso
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ ls
Fedora-Workstation-26-1.5-x86_64-CHECKSUM  Fedora-Workstation-Live-x86_64-26-1.5.iso
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ curl | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18521  100 18521    0     0  11190      0  0:00:01  0:00:01 --:--:-- 11190
gpg: key 73BDE98381B46521: public key "Fedora (24) <>" imported
gpg: key B8635EEB030D5AED: public key "Fedora Secondary (24) <>" imported
gpg: key 4089D8F2FDB19C98: public key "Fedora 25 Primary (25) <>" imported
gpg: key 1A185CDDE372E838: public key "Fedora 25 Secondary (25) <>" imported
gpg: key 812A6B4B64DAB85D: public key "Fedora 26 Primary (26) <>" imported
gpg: key 4560FD4D3B921D09: public key "Fedora 26 Secondary (26) <>" imported
gpg: key F55E7430F5282EE4: public key "Fedora 27 (27) <>" imported
gpg: key 3B49DF2A0608B895: public key "EPEL (6) <>" imported
gpg: key 6A2FAEA2352C64E5: public key "Fedora EPEL (7) <>" imported
gpg: Total number processed: 9
gpg:               imported: 9
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 07 Jul 2017 11:13:31 PM +08
gpg:                using RSA key 812A6B4B64DAB85D
gpg: Good signature from "Fedora 26 Primary (26) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E641 850B 77DF 4353 78D1  D7E2 812A 6B4B 64DA B85D
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$ sha256sum -c *-CHECKSUM
sha256sum: Fedora-Workstation-netinst-x86_64-26-1.5.iso: No such file or directory
Fedora-Workstation-netinst-x86_64-26-1.5.iso: FAILED open or read
Fedora-Workstation-Live-x86_64-26-1.5.iso: OK
sha256sum: Fedora-Workstation-ostree-x86_64-26-1.5.iso: No such file or directory
Fedora-Workstation-ostree-x86_64-26-1.5.iso: FAILED open or read
sha256sum: WARNING: 19 lines are improperly formatted
sha256sum: WARNING: 2 listed files could not be read
[donato@archdesktop Fedora-Workstation-Live-x86_64-26]$

So this is for fedora distribution. If you're trying to verify another distribution then importing its gpg keys should the same. I downloaded the live workstation iso from their torrent page so it's the only iso i want to verify. Nothing else. I ignored the rest of the fail messages here.

tag: fedora,gpg,checksum,iso
Post a Comment

Rkhunter Warnings Received and Investigated

I received my rkhunter warning email moments ago. Two in fact, namely, a suspicious shared memory file and and suspicious hidden file. Afte...