Lack in installation documentation - Verify integrity and signature

Problem

While installing a new Yunohost on a raspberry, I found what I believe is a “hole” in the installation documentation. There is no instruction on how to verify download with sha256sum and gpg

Proposal

  1. On page https://yunohost.org/#/install_on_raspberry/preview, it could be nice to add a new step like this

  1. Especially that checksums and gpg are already shown on the download page


Some examples instructions to verify the download:


Feel free to move the topic or give pointers of a better place to handle this.

Edit #1
Also missing step : unzip the file

Yes indeed. Imho the best way to do this would be to add a tip at the top of the “Pre-installed images” page, such as “When downloading these images, it is recommended to check the integrity and authenticity of the image with ~link to procedure~”

and have a dedicated page explaining how to use md5sum and gpg (both on Linux and Windows …)

Feel free to suggest something : you can edit directly the pages with the ‘Edit’ button and/or git clone the doc repo if you are familiar with git :wink:

Is there a step-by-step guide somewhere for checking the pgp signature? I skimmed over the Ubuntu tutorial page linked to above by @Gofannon back in September 2018, but I couldn’t figure out how to apply it to YunoHost. For example, what do I replace in the example command gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS to make it work for YunoHost? Sorry for this n00b question, but I need some fairly explicit instructions some times.

Example:

  • use cat to view the sha256sum file
  • use sha256sum to see what the sha256sum of the iso you downloaded is
$ cat yunohost-buster-4.1.8-amd64-stable.iso.sha256sum 
0ac2997ff090a50153c25c5b2b621bd253c4fb7f4a2ae739e25796ff9c840b28  yunohost-buster-4.1.8-amd64-stable.iso
$ sha256sum NHL_-94_-_1993_-_Electronic_Arts.pdf 
404a2f499197f17b6d9402a9f44205f5eac26b45daa9fabade2eed660bcbe137  NHL_-94_-_1993_-_Electronic_Arts.pdf

I didn’t download the yunohost ISO but you get the gist of it I think.

Thanks @arkadi, but the checksum is not what I was after, it was the pgp signature of the checksum and the pgp signature of the iso image itself, for validation, not just for verification. I have no problems using sha256sum to verify an iso image using a checksum for internal consistency / integrity. I just don’t yet know how to validate an iso image’s signature for authenticity.

1 Like

Where do we get the YunoHost Developers’ public key from? The two links provided above by @Gofannon each describe different ways of adding the public key to your keyring. The Tor documentation recommends --auto-key-locate and --locate-keys with what looks like an email address, while the Ubuntu documentation recommends using --keyserver and --recv-keys with an OpenPGP HTTP Keyserver Protocol (hkp://) URI. Either way, it looks like we first need to know how to locate the YunoHost developer’s public key, which should be the key which was used to sign the release packages, right? This information would be really helpful towards creating step-by-step documentation for this procedure.

I just tried using the command from @Gofannon’s linked Ubuntu tutorial page above, and replacing the default Ubuntu filenames with our YunoHost filenames, as follows…

$ gpg --keyid-format long --verify yunohost-buster-4.1.7.2-rpi-stable.img.zip.sig yunohost-buster-4.1.7.2-rpi-stable.img.zip

However, this returned the following error…

gpg: Signature made Mon 22 Feb 2021 12:36:41 NZDT
gpg:                using RSA key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Can't check signature: No public key

From the Ubuntu tutorial page, the next step would be to obtain the public key from a keyserver. I spoke to @tituspijean on IRC about this, and they pointed me to this public key on GitHub. Now I need to learn what to do with it, as it isn’t in the form that the Ubuntu tutorial page is expecting…

From this, it looks like I need to know the location of the keyserver. I assume there is an alternative method for importing the public key into my keychain. I’ll keep looking.

EDIT: Next I downloaded this public key from GitHub, as recommended by @tituspijean, and saved it as a text file called yunohost-security-team.gpg on my local computer. Then I ran the following command, which I got from this page on the GnuPG documentation site…

$ gpg --import yunohost-security-team.gpg
gpg: key 749D897217351899: public key "YunoHost Security <security@yunohost.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Aha! Look at that, I now have an email address that I can use for validating, and I have the key itself in my keychain. I’ll follow the rest of the instructions on that page, and see how it goes.

EDIT: So, the next step is to validate the YunoHost Security Team’s public key. Here’s what I did, and the result of it…

$ gpg --edit-key security@yunohost.org
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/749D897217351899
     created: 2016-07-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa4096/1CB93A64446838AF
     created: 2016-07-01  expires: never       usage: E   
[ unknown] (1). YunoHost Security <security@yunohost.org>

gpg> 

Hmm, those unknown values are not very inspiring! :bell: Alarm bells ringing here!

I gave you the wrong public key, sorry. This one is correct for the current builds: https://forge.yunohost.org/yunohost.asc

To check the signature:

wget https://forge.yunohost.org/yunohost.asc
gpg  --import yunohost.asc
gpg --verify yunohost-buster-4.1.7.2-rpi-stable.img.zip.sig yunohost-buster-4.1.7.2-rpi-stable.img.zip

I get:

gpg: Signature made Mon Feb 22 00:36:41 2021 CET
gpg:                using RSA key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Good signature from "YunoHost <build@yunohost.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF
1 Like

Thank you so much @tituspijean, that is awesome! I did the same, and got exactly the same result. So I have taken it a step further, and signed the key myself, as the first witness to the build@yunohost.org signature. I’m surprised to be the first one to do this! Here are my results, when following the instructions on this page

$ gpg --edit-key build@yunohost.org
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/360AAF3259A3E6FF
     created: 2012-04-17  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/CE7406516D9CFB3A
     created: 2012-04-17  expires: never       usage: E   
[ unknown] (1). YunoHost <build@yunohost.org>

gpg> fpr
pub   rsa2048/360AAF3259A3E6FF 2012-04-17 YunoHost <build@yunohost.org>
 Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF

gpg> sign

pub  rsa2048/360AAF3259A3E6FF
     created: 2012-04-17  expires: never       usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF

     YunoHost <build@yunohost.org>

Are you sure that you want to sign this key with your
key "Fritt Ro (My GitHub account master key.) <a4mbh6u2@fmds.geek.nz>" (0C6114F7FFF0C8B5)

Really sign? (y/N) y

gpg> quit
Save changes? (y/N) y

$ gpg --edit-key build@yunohost.org
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
pub  rsa2048/360AAF3259A3E6FF
     created: 2012-04-17  expires: never       usage: SC  
     trust: unknown       validity: full
sub  rsa2048/CE7406516D9CFB3A
     created: 2012-04-17  expires: never       usage: E   
[  full  ] (1). YunoHost <build@yunohost.org>

gpg> 

So, the build@yunohost.org signature is now a little more trusted, as I have signed it as well. Let’s try to get more witnesses to sign that key, to build more trust in it?

EDIT: Note how, after I signed it too, the validity of the build@yunohost.org signature changed from unknown to full. That looks a bit better, eh?

1 Like