-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: verify integrity of image hash sums #85
Comments
I'm not sure where the actual documentation exists for this on clearlinux.org, but this blog post describes how to verify the SHA512SUMS file: https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
|
Patrick McCarty <notifications@github.com> writes:
I'm not sure where the actual documentation exists for this on
clearlinux.org,
The right place to document this IMHO is the link I had in my initial
description. That's also what the download directory links to.
but this blog post describes how to verify the SHA512SUMS file:
https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
Thanks, that does indeed explain it.
|
I agree. I will prepare a PR to update the docs accordingly. |
Patrick McCarty <notifications@github.com> writes:
https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture
```
$ openssl smime -verify -in [image]-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ClearLinuxRoot.pem -out /dev/null
```
I tried that with the .pem and images+sig from 22840, but it fails for
me (Debian Stable, OpenSSL 1.1.0f):
$ openssl smime -verify -in clear-22840-kvm.img.xz-SHA512SUMS.sig -inform der -content sha512sum.out -CAfile ../test/ClearLinuxRoot.pem -out /dev/null
Verification failure
140263623320832:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:285:Verify error:unsupported certificate purpose
Am I the first one who is paranoid enough to try this, or is it related
to my version of OpenSSL? ;-}
|
I see the verification fail with openssl 1.1.0h on Arch Linux, and it succeeds with openssl 1.0.2o on Clear Linux. My guess is that it's an incompatibility between 1.0.x and 1.1.x :-( |
Why can't |
I'm not sure how important it is to have these signatures. But apparently they were considered important enough to set up something, so probably it is worth fixing the mechanism. |
The
|
A change to speed up the build caused the inclusion of the file path. We fixed the issue in the tree and this will be working as documented this afternoon after the late morning build goes out (any valid release version >= 23310 will work as documented) |
Closing as docs PR was merged |
@phmccarty @iphutch I see this issue happening again with clear-29690-cloud.img.xz /cc @pohly |
@mcastelino The verification of |
https://clearlinux.org/documentation/clear-linux/get-started/bare-metal-install#verify-the-integrity-of-the-clear-linux-image documents how to verify the integrity of the downloaded image file. What's missing is documentation on how to verify the integrity of the SHA512SUMS file.
The files are signed, so presumably some gpg invocation will do that. But what key needs to be trusted?
The text was updated successfully, but these errors were encountered: