OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: antonym on February 22, 2022, 08:28:10 pm

Title: [SOLVED]: openssl public key verification = Verification Failure
Post by: antonym on February 22, 2022, 08:28:10 pm

Hello

I am able to perform sha256sum on the downloaded bz2-zipped image file and it checks out ok (see below), however when I use the openssl public key verification method it fails the check. I verified the public key I downloaded from a few sources were all the same, so with that I can at least have some level of confidence the key is legit:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----

This verification failure happens no mater if I download from a server in the US or Netherlands (haven't tried others). When I attempt to perform the public key verification of the downloaded image I get "Verification Failure". When it fails a check, the instructions at https://docs.opnsense.org/manual/install.html state "...you may have made an error using the commands, or the image has been compromised."

The details for these instructions state the following:
"Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):

openssl base64 -d -in <filename>.sig -out /tmp/image.sig

openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2

Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.

If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised."


Here are the sequence of commands as I entered them in the terminal:

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256      OPNsense-22.1-OpenSSL-vga-amd64.img.bz2      OPNsense-22.1.pub     
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig  OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verification Failure

anthony@opensusebox:~/Downloads>

Can anyone point out any mistakes I might have made in the commands above? Is there anything to be concerned about when sha256sum passes, but the public key method does not?

Thank you if you can help.


Regards
Anthony

Title: Re: openssl public key verification = Verification Failure
Post by: franco on February 22, 2022, 08:46:20 pm

Hi Anthony,

.sig files are base64 encoded for portability reasons (be able to copy + paste them) so you do need to change them to binary signatures using the stated command:

openssl base64 -d -in <filename>.sig -out /tmp/image.sig

And then use /tmp/image.sig instead of OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig in the subsequent command for openssl dgst.


Cheers,
Franco

Title: Re: openssl public key verification = Verification Failure
Post by: antonym on February 22, 2022, 09:17:57 pm

Thank you Franco. I mis-interpreted the instructions and didn't apply the converson step. I appreciate you clarifying this important piece of the puzzle. I'll attempt this again later (stepping out now) and report back here...

Best regards
Anthony

Title: [SOLVED]: openssl public key verification = Verification Failure
Post by: antonym on February 23, 2022, 12:08:19 am

Thanks to Franco pointing out what I was missing, I was able to correct my steps and get back on track with successful results. Here were the command line steps I used to verify the download by using sha256 and openssl.

1.  Download all files directly (my download folder is Downloads). In my case, I downloaded the files from https://mirrors.nycbug.org/pub/opnsense/releases/mirror/ .  The README file contains the public key (one of a few that I checked from different sources, and they all matched): https://mirrors.nycbug.org/pub/opnsense/releases/mirror/README

2.  The written instructions for verifying the image file are found at https://docs.opnsense.org/manual/install.html

3. Then from within the terminal enter the following commands in the sequence listed.

anthony@opensusebox:~> cd Downloads

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-22.1.pub
OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f  OPNsense-22.1-OpenSSL-vga-amd64.img.bz2

anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig  -out sha256conversion.byme.sig

anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256     
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2     
OPNsense-22.1.pub     
sha256conversion.byme.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-22.1.pub.sig

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature sha256conversion.byme.sig OPNsense-22.1-OpenSSL-checksums-amd64.sha256
Verified OK

anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig  -out image.sig

anthony@opensusebox:~/Downloads> ls
image.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig 
OPNsense-22.1.pub.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256 
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2           
OPNsense-22.1.pub
sha256conversion.byme.sig

anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature image.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verified OK
anthony@opensusebox:~/Downloads>

Done. Then off to creating the bootable USB according to instructions at https://opnsense.org/users/get-started/

 :)

--------
Anthony

Title: Re: [SOLVED]: openssl public key verification = Verification Failure
Post by: fermulator on April 09, 2022, 01:56:42 am

Shall we request to update/fix the documentation?
https://docs.opnsense.org/manual/install.html#download-and-verification

Title: Re: [SOLVED]: openssl public key verification = Verification Failure
Post by: franco on April 11, 2022, 09:06:50 am

The instructions are correct.


Cheers,
Franco