Skip to content

installation: update signature checking information #608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ericonr merged 1 commit into from
Oct 19, 2021
Merged

installation: update signature checking information #608

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 40 additions & 21 deletions src/installation/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,10 @@ on the image to ensure they haven't been tampered with.
Current images are signed using a signify key that is specific to the release.
If you're on Void already, you can obtain the keys from the `void-release-keys`
package, which will be downloaded using your existing XBPS trust relationship
with your mirror. You will also need a copy of
[signify(1)](https://man.voidlinux.org/signify.1); on Void this is provided by
the `outils` package.
with your mirror and package signatures. You will also need a copy of
[signify(1)](https://man.voidlinux.org/signify.1) or
[minisign(1)](https://man.voidlinux.org/minisign.1); on Void, these are provided
by the `outils` or `minisign` packages, respectively.

To obtain `signify` when using a Linux distribution or operating system other
than Void Linux:
Expand All @@ -81,37 +82,55 @@ than Void Linux:
distribution.
- Install `signify-osx` with homebrew in macOS.

If you can't obtain `signify` for some reason (e.g. you are on Windows and can't
use WSL or MinGW), you can use
[minisign(1)](https://man.voidlinux.org/minisign.1) to verify the file.
The `minisign` executable is usually provided by a package of the same name, and
can also be installed on Windows, even without WSL or MinGW.

If you are not currently using Void Linux, it will also be necessary to obtain
the appropriate signing key from our Git repository
[here](https://github.com/void-linux/void-packages/tree/master/srcpkgs/void-release-keys/files/).

Once you've obtained the key, you can verify your image with the `sha256sum.sig`
file. The following example demonstrates the verification of the GCP musl
filesystem from the 20191109 release:
and `sha256sum.txt` files. First, you need to verify the authenticity of the
`sha256sum.txt` file.

The following examples demonstrate the verification of the `sha256sum.txt` file
for the 20210930 images. Firstly, with `signify`:

```
$ signify -C -p /etc/signify/void-release-20191109.pub -x sha256sum.sig void-GCP-musl-PLATFORMFS-20191109.tar.xz
$ signify -V -p /etc/signify/void-release-20210930.pub -x sha256sum.sig -m sha256sum.txt
Signature Verified
void-GCP-musl-PLATFORMFS-20191109.tar.xz: OK
```

If the verification process does not produce the expected "OK" status, do not
use it! Please alert the Void Linux team of where you got the image and how you
verified it, and we will follow up on it.
And secondly, with `minisign`:

```
$ minisign -V -p /etc/signify/void-release-20210930.pub -x sha256sum.sig -m sha256sum.txt
Signature and comment signature verified
Trusted comment: timestamp:1634597366 file:sha256sum.txt
```

For verification with `minisign`, it is necessary to rename the `sha256sum.sig`
file to `sha256sum.txt.minisig` and remove the first line from the `.pub`
release key. The following example demonstrates the verification of the
`sha256sum.txt` file from the 20191109 release:
Finally, you need to verify that the checksum for your image matches the one in
the `sha256sum.txt` file. This can be done with the
[sha256(1)](https://man.voidlinux.org/md5.1) utility, again from the `outils`
package, as demonstrated below for the 20210930 `x86_64` image:

```
$ minisign -Vm sha256sum.txt -f -p void-release-20191109.pub
void-release-20191109.pub: Success
$ sha256 -C sha256sum.txt void-live-x86_64-20210930.iso
(SHA256) void-live-x86_64-20210930.iso: OK
```

The same warning as above applies. If the verification process isn't successful,
do not use the file - warn the Void Linux team about it.
Alternatively, if the `sha256` utility isn't available to you, you can compute
the SHA256 hash of the file, e.g. using
[sha256sum(1)](https://man.voidlinux.org/sha256sum.1), and compare it to the
value contained in `sha256sum.txt`:

```
$ sha256sum void-live-x86_64-20210930.iso
Copy link

@Lokawn Lokawn Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the manpage, sha256sum supports BSD style checksum and directly sha256sum -c --ignore-missing sha256sum.txt can be used.

Copy link
Member Author

@ericonr ericonr Jun 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, that's nice :)
Would you mind opening a PR with that suggestion?

45b75651eb369484e1e63ba803a34e9fe8a13b24695d0bffaf4dfaac44783294 void-live-x86_64-20210930.iso
$ grep void-live-x86_64-20210930.iso sha256sum.txt
SHA256 (void-live-x86_64-20210930.iso) = 45b75651eb369484e1e63ba803a34e9fe8a13b24695d0bffaf4dfaac44783294
```

If the verification process does not produce the expected "OK" status, do not
use it! Please alert the Void Linux team of where you got the image and how you
verified it, and we will follow up on it.