Verification of inputs as performed by Benny Baumann (e-mail March 10, 2016) ============================================================================ Below I stepped through the verification by hand. I noticed that the downloaded .deb files are not checked against the Package.gz/bz2 with signature in the Release file. I did this manually and could confirm those hashes. Also I tried to verify the archive signing keys independently, which is not that easy unfortunately (see below). > > #! /bin/bash > # DOWNLOAD - download ingredients for CAcert root re-sign operation on March > 12, 2016 > wget ftp://ftpserv.tudelft.nl/pub/Linux/releases.ubuntu.com/14.04.4/SHA256SUMS > wget ftp://ftpserv.tudelft.nl/pub/Linux/releases.ubuntu.com/14.04.4/SHA256SUMS.gpg Currently seeing signature: $ gpg --list-packets -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABEKAAYFAlbGJlsACgkQRhgUM/u3VFEoXQCglt/53mWhEaXWeawSO1oLQM4A 7fUAn1saAc7GlRe0YogayYLuv+peLQcEiQIcBAABCgAGBQJWxiZbAAoJENlKo/Dv 4hCS98YP/R773nBLjumoombH/PD1FeFEVEzrBuhRDxctJ9kHxguBcXl4fHmEms74 P5M9cEYdLIevsYDAL5z3TMIfX5ErilMAn9TrmX7ztGjk6KgHTgbs6fyZ05cZNIwp 7hwda2vTkltFqeLcIdEL5r5GYQbHBFbGzSPKjYmPGw2Hz9XCLuOG4ybhuBTTZ0ut MYN4TCInf+GTj0TY0ogjE/46uuWDTRtJiw+oZ3AKiComKxmWlslDqojgxfpVl0a8 VTauTo2q1IfGobccCVLRje/vdh4rEbvxcAmQtwV7p6GhaJR18WqGjI7QOeAJTqR4 Rh6OLM5J+0ujhYQZj1I+qbm1eYt/ibuLEyxlY+cTyclZULV98W8gdfDYI4m1Os/+ uG8juRmcZzQsaG8Xyd6R/QC7iqXefhjiCVf9LjkbDCNZVG68WjMZXdAOhYNGk1mR MQj8vNKJNGsYMa3DYkdWvowbM3BQTRvAD+65KvdNL1uWN50PvZynzGY33ALFcLAM ZUb9kdO82xH+Qfs4adfik0ygCATfk32heCTKHH5OjUmbTZxZX7Xty6ZYaVhfifW/ 3zHQFOfjTLGk+OxSZkZ+FyeVEyQwjOwNFeRJpWvEI6MV6QxDPbSTIFpfVmlnE1no kIR/SYAzCehbCCTDHGg8ofFd+83J8QHW1jBwkPF1PZ4OQwSXCN8y =AjVH -----END PGP SIGNATURE----- :signature packet: algo 17, keyid 46181433FBB75451 version 4, created 1455826523, md5len 0, sigclass 0x00 digest algo 10, begin of digest 28 5d hashed subpkt 2 len 4 (sig created 2016-02-18) subpkt 16 len 8 (issuer key ID 46181433FBB75451) data: [160 bits] data: [159 bits] :signature packet: algo 1, keyid D94AA3F0EFE21092 version 4, created 1455826523, md5len 0, sigclass 0x00 digest algo 10, begin of digest f7 c6 hashed subpkt 2 len 4 (sig created 2016-02-18) subpkt 16 len 8 (issuer key ID D94AA3F0EFE21092) data: [4093 bits] --> Both signing keys look legit, but trying to validate them in the PGP strong set fails (neither is in the strong set according to [1]&[2]). Based on https://help.ubuntu.com/community/VerifyIsoHowto (certified for being help.ubuntu.com by chaining up to DigiCert Global Root CA [3]) I get the following information: --- $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xFBB75451 0xEFE21092 gpg: requesting key FBB75451 from hkp server keyserver.ubuntu.com gpg: requesting key EFE21092 from hkp server keyserver.ubuntu.com gpg: key FBB75451: public key "Ubuntu CD Image Automatic Signing Key " imported gpg: key EFE21092: public key "Ubuntu CD Image Automatic Signing Key (2012) " imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 (RSA: 1) --- Thus the primary fingerprints of the signing keys are likely: - C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451 - 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 The information in those keys sounds reasonable and keys have been signed by Colin Watson whom I can verify via the GPG strong set [4]. > gpg --verify SHA256SUMS.gpg SHA256SUMS > wget > ftp://ftpserv.tudelft.nl/pub/Linux/releases.ubuntu.com/14.04.4/ubuntu-14.04.4-desktop-amd64.iso > sha256sum -c SHA256SUMS > wget > http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.0.0_1.0.1f-1ubuntu2.18_amd64.deb > wget > http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.0.1f-1ubuntu2.18_amd64.deb > wget > http://archive.ubuntu.com/ubuntu/pool/main/z/zlib/zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb > sha256sum *.deb >pkg.sha256sum > chmod 444 SHA256SUM* *.iso *.deb pkg.sha256sum Looks okay. Download checksums verified locally: $ sha256sum *.deb dbe9f4e86f1f4a4a99acd1289a2f565fd8d3ee9c1877063b7a35ae3a704de26c libssl1.0.0_1.0.1f-1ubuntu2.18_amd64.deb f6c3075d116e86fe7853c73e5e177674aba038dab8d656da1064e20e14a470d7 libssl-dev_1.0.1f-1ubuntu2.18_amd64.deb d44332327123a4fef16ededcffac98ac0425402f9c2ccc8e42193b122f8a54b8 zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb Also matches with Package index on mirror. ACK.