/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.0-rc5 installation fails; BAD signature from "Qubes OS Release 4 Signing Key" #3667

Closed
0pcom opened this Issue Mar 8, 2018 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
4 participants
@0pcom @unman @andrewdavidwong @awokd
@0pcom

0pcom commented Mar 8, 2018
edited
Edited 19 times
  • @0pcom 0pcom edited Mar 8, 2018 (most recent)
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018
  • @0pcom 0pcom edited Mar 8, 2018

Qubes OS version:

4.0-rc5

Affected component(s):

Qubes OS 4.0-rc5 installation media
https://ftp.qubes-os.org/iso/Qubes-R4.0-rc5-x86_64.iso
https://ftp.qubes-os.org/iso/Qubes-R4.0-rc5-x86_64.torrent

Steps to eliminate the behavior:

Downloaded multiple times the .iso:
https://ftp.qubes-os.org/iso/Qubes-R4.0-rc5-x86_64.iso

torrented the .iso multiple times:
https://ftp.qubes-os.org/iso/Qubes-R4.0-rc5-x86_64.torrent

Attempted to verify the integrity of the .iso via the instructions here:
https://www.qubes-os.org/security/verifying-signatures/

I continue to await the completion of current downloads and will update if it becomes apparent that corrupted downloads were to blame

Expected behavior:

When verifying the install media

$ gpg -v --verify Qubes-R4.0-rc5-x86_64.iso.asc Qubes-R4.0-rc5-x86_64.iso
gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using PGP trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key"
gpg: binary signature, digest algorithm SHA256

successful installation should be expected

Actual behavior:

When attempting to verify the .iso:

[user@arch] gpg -v --verify Qubes-R4.0-rc5-x86_64.iso.asc Qubes-R4.0-rc5-x86_64.iso
gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: BAD signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

Same error for every download.

The digests is ok-

[user@arch]$ gpg -v --verify Qubes-R4.0-rc5-x86_64.iso.DIGESTS
gpg: armor header: Hash: SHA256
gpg: original file name=''
gpg: Signature made Sun 04 Mar 2018 12:58:12 PM CST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096

Multiple installation media would hang during the media test option, and also when attempting to install without the media test.

When the media check was skipped, a fatal error is encountered while Qubes was attempting to install the fedora template and then the whonix template

UPDATE

Attempt to verify .iso which was torrented after this issue was opened:

[user@arch]$ gpg -v --verify Qubes-R4.0-rc5-x86_64.iso.asc Qubes-R4.0-rc5-x86_64.iso
gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: BAD signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

UPDATE 2

Attempt to verify .iso downloaded from ftp.qubes-os.org after this issue was opened:

[user@arch]$ gpg -v --verify Qubes-R4.0-rc5-x86_64.iso.asc Qubes-R4.0-rc5-x86_64.iso
gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: BAD signature from "Qubes OS Release 4 Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

General notes:

I compared the torrented .iso with the one downloaded from the ftp.qubes-os.org

cmp /home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso '/home/user/Downloads/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso'

The two .ISOs differ, and neither would successfully install.

I will run fresh tests when downloads complete and update with my findings...

UPDATE

The (most recently) torrented .iso fails the verification check as noted above

UPDATE 2

the FTP downloaded .iso failed verification check as noted above

ADDITIONAL NOTES

When I compare the torrented .iso with the ftp downloaded one:

$ cmp '/home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso' '/home/user/Downloads/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso
differ: byte 44505204, line 151960
differ: byte 64711223, line 231154

So they're both different and neither I think will work.

Related issues:

What is the proper or recommended way to verify the integrity of an .iso after it has been written to the installation disk?

.iso written to disk with dd like this:

sudo dd if=/home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso of=/dev/sdc bs=1M conv=noerror,sync status=progress

Either cmp doesn't work with block devices such as in the following example or I cannot get dd to write an accurate copy, no matter how small bs= is set to;

sudo cmp /home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso /dev/sdc

@0pcom 0pcom changed the title from 4.0-rc5 installation trouble - torrented .iso differs from FTP download & neither have worked yet. to 4.0-rc5 installation - BAD signature from "Qubes OS Release 4 Signing Key" Mar 8, 2018

@0pcom 0pcom changed the title from 4.0-rc5 installation - BAD signature from "Qubes OS Release 4 Signing Key" to 4.0-rc5 installation fails; BAD signature from "Qubes OS Release 4 Signing Key" Mar 8, 2018

@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Mar 8, 2018

Member

And yet I was able to download once over Tor, and:

gpg --verify Qubes-R4.0-rc5-x86_64.iso.asc 
gpg: assuming signed data in 'Qubes-R4.0-rc5-x86_64.iso'
gpg: Signature made Sun 04 Mar 2018 06:57:06 PM GMT
gpg:                using RSA key 1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9

And I assume that others have also been able to do the same.

I cant explain why your multiple downloads are failing verification. Disk issues could be one explanation, and the first place I'd look.
Member

unman commented Mar 8, 2018

And yet I was able to download once over Tor, and:

gpg --verify Qubes-R4.0-rc5-x86_64.iso.asc 
gpg: assuming signed data in 'Qubes-R4.0-rc5-x86_64.iso'
gpg: Signature made Sun 04 Mar 2018 06:57:06 PM GMT
gpg:                using RSA key 1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A  522E 1848 792F 9E27 95E9

And I assume that others have also been able to do the same.

I cant explain why your multiple downloads are failing verification. Disk issues could be one explanation, and the first place I'd look.

@andrewdavidwong andrewdavidwong added the C: installer label Mar 9, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Mar 9, 2018

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 9, 2018

Member
What is the proper or recommended way to verify the integrity of an .iso after it has been written to the installation disk?

.iso written to disk with dd like this:

sudo dd if=/home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso of=/dev/sdc bs=1M conv=noerror,sync status=progress

  1. Verify the ISO before you write it to the installation medium. If the verification fails before writing, there's no point in writing. If the verification succeeds before writing but fails afterward, writing introduced the error.
  2. Try it again without conv=noerror,sync (see here).
Member

andrewdavidwong commented Mar 9, 2018

What is the proper or recommended way to verify the integrity of an .iso after it has been written to the installation disk?

.iso written to disk with dd like this:

sudo dd if=/home/user/Downloads/Qubes-R4.0-rc5-x86_64.iso of=/dev/sdc bs=1M conv=noerror,sync status=progress

  1. Verify the ISO before you write it to the installation medium. If the verification fails before writing, there's no point in writing. If the verification succeeds before writing but fails afterward, writing introduced the error.
  2. Try it again without conv=noerror,sync (see here).
@awokd

This comment has been minimized.

Show comment
Hide comment
@awokd

awokd Mar 9, 2018

My download verified fine too. Suggest doing a sha256sum on yours to make sure there isn't disk or network corruption of your downloads. Once you get a good hash, then try to verify the signature.

awokd commented Mar 9, 2018

My download verified fine too. Suggest doing a sha256sum on yours to make sure there isn't disk or network corruption of your downloads. Once you get a good hash, then try to verify the signature.
@0pcom

This comment has been minimized.

Show comment
Hide comment
@0pcom

0pcom Mar 15, 2018

I have identified a bad stick of RAM after installing to another disk and running md5sum repeatedly on downloaded files; the output of which yielded inconsistent results when faulty ram was present;

This also seems to account for other anomalous behaviors of this computer.

[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ md5sum Qubes-R4.0-rc5-x86_64.iso
6384faaab454a5e88e5b6eafffe02d8d Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha1sum Qubes-R4.0-rc5-x86_64.iso
1e686e90362c582e8576a14b8da8d85594d3e6eb Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha256sum Qubes-R4.0-rc5-x86_64.iso
98440539295e78f1c59b9ca457e98ea24153154a1489c566f41a88ca3f5d1918 Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha512sum Qubes-R4.0-rc5-x86_64.iso
9fc06d344513245dcf89be0e2656c22f17fd5ad15fb2c8ef5f3bed90be46dcb0e4991b5aaef3a9bd401d20ea7c9fb3ca53cbdd283cd296083c8e3df6c873daed Qubes-R4.0-rc5-x86_64.iso

[d0mo@localhost ~]$ gpg --import /home/d0mo/Downloads/qubes-release-4-signing-key.asc

gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported

gpg: Total number processed: 1

gpg: imported: 1

gpg: marginals needed: 3 completes needed: 1 trust model: pgp

gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u

[d0mo@localhost ~]$ gpg -v --verify '/home/d0mo/Downloads/qe2/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso.asc' '/home/d0mo/Downloads/qe2/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso'

gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST

gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9

gpg: using pgp trust model

gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]

gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

sorry the formatting is kinda screwed up. I guess I can close this now.

0pcom commented Mar 15, 2018

I have identified a bad stick of RAM after installing to another disk and running md5sum repeatedly on downloaded files; the output of which yielded inconsistent results when faulty ram was present;

This also seems to account for other anomalous behaviors of this computer.

[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ md5sum Qubes-R4.0-rc5-x86_64.iso
6384faaab454a5e88e5b6eafffe02d8d Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha1sum Qubes-R4.0-rc5-x86_64.iso
1e686e90362c582e8576a14b8da8d85594d3e6eb Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha256sum Qubes-R4.0-rc5-x86_64.iso
98440539295e78f1c59b9ca457e98ea24153154a1489c566f41a88ca3f5d1918 Qubes-R4.0-rc5-x86_64.iso
[d0mo@localhost Qubes-R4.0-rc5-x86_64]$ sha512sum Qubes-R4.0-rc5-x86_64.iso
9fc06d344513245dcf89be0e2656c22f17fd5ad15fb2c8ef5f3bed90be46dcb0e4991b5aaef3a9bd401d20ea7c9fb3ca53cbdd283cd296083c8e3df6c873daed Qubes-R4.0-rc5-x86_64.iso

[d0mo@localhost ~]$ gpg --import /home/d0mo/Downloads/qubes-release-4-signing-key.asc

gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported

gpg: Total number processed: 1

gpg: imported: 1

gpg: marginals needed: 3 completes needed: 1 trust model: pgp

gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u

[d0mo@localhost ~]$ gpg -v --verify '/home/d0mo/Downloads/qe2/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso.asc' '/home/d0mo/Downloads/qe2/Qubes-R4.0-rc5-x86_64/Qubes-R4.0-rc5-x86_64.iso'

gpg: Signature made Sun 04 Mar 2018 12:57:06 PM CST

gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9

gpg: using pgp trust model

gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]

gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096

sorry the formatting is kinda screwed up. I guess I can close this now.

@0pcom 0pcom closed this Mar 15, 2018

@andrewdavidwong andrewdavidwong added the resolved label Mar 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment