1
22.1 Legacy Series / [SOLVED]: openssl public key verification = Verification Failure
« on: February 22, 2022, 08:28:10 pm »
Hello
I am able to perform sha256sum on the downloaded bz2-zipped image file and it checks out ok (see below), however when I use the openssl public key verification method it fails the check. I verified the public key I downloaded from a few sources were all the same, so with that I can at least have some level of confidence the key is legit:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----
This verification failure happens no mater if I download from a server in the US or Netherlands (haven't tried others). When I attempt to perform the public key verification of the downloaded image I get "Verification Failure". When it fails a check, the instructions at https://docs.opnsense.org/manual/install.html state "...you may have made an error using the commands, or the image has been compromised."
The details for these instructions state the following:
"Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):
openssl base64 -d -in <filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2
Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.
If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised."
Here are the sequence of commands as I entered them in the terminal:
anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256 OPNsense-22.1-OpenSSL-vga-amd64.img.bz2 OPNsense-22.1.pub
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1.pub.sig
anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verification Failure
anthony@opensusebox:~/Downloads>
Can anyone point out any mistakes I might have made in the commands above? Is there anything to be concerned about when sha256sum passes, but the public key method does not?
Thank you if you can help.
Regards
Anthony
I am able to perform sha256sum on the downloaded bz2-zipped image file and it checks out ok (see below), however when I use the openssl public key verification method it fails the check. I verified the public key I downloaded from a few sources were all the same, so with that I can at least have some level of confidence the key is legit:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----
This verification failure happens no mater if I download from a server in the US or Netherlands (haven't tried others). When I attempt to perform the public key verification of the downloaded image I get "Verification Failure". When it fails a check, the instructions at https://docs.opnsense.org/manual/install.html state "...you may have made an error using the commands, or the image has been compromised."
The details for these instructions state the following:
"Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):
openssl base64 -d -in <filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2
Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.
If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised."
Here are the sequence of commands as I entered them in the terminal:
anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256 OPNsense-22.1-OpenSSL-vga-amd64.img.bz2 OPNsense-22.1.pub
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1.pub.sig
anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verification Failure
anthony@opensusebox:~/Downloads>
Can anyone point out any mistakes I might have made in the commands above? Is there anything to be concerned about when sha256sum passes, but the public key method does not?
Thank you if you can help.
Regards
Anthony