Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
[SOLVED]: openssl public key verification = Verification Failure
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED]: openssl public key verification = Verification Failure (Read 3060 times)
antonym
Newbie
Posts: 8
Karma: 1
[SOLVED]: openssl public key verification = Verification Failure
«
on:
February 22, 2022, 08:28:10 pm »
Hello
I am able to perform sha256sum on the downloaded bz2-zipped image file and it checks out ok (see below), however when I use the openssl public key verification method it fails the check. I verified the public key I downloaded from a few sources were all the same, so with that I can at least have some level of confidence the key is legit:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----
This verification failure happens no mater if I download from a server in the US or Netherlands (haven't tried others). When I attempt to perform the public key verification of the downloaded image I get "Verification Failure". When it fails a check, the instructions at
https://docs.opnsense.org/manual/install.html
state "...you may have made an error using the commands, or the image has been compromised."
The details for these instructions state the following:
"Once you have downloaded all the required files and a copy of the public key, and verified that the public key matches the public key from the alternate sources listed above, you can be relatively certain that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the names in brackets for the files you downloaded):
openssl base64 -d -in <filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2
Make sure to change the “img” to “iso” in the second line if you downloaded a different installer type.
If the output of the second command is “Verified OK”, your image was verified successfully, and you can install it. If it has any other output, you may have made an error using the commands, or the image may have been compromised."
Here are the sequence of commands as I entered them in the terminal:
anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256 OPNsense-22.1-OpenSSL-vga-amd64.img.bz2 OPNsense-22.1.pub
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1.pub.sig
anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verification Failure
anthony@opensusebox:~/Downloads>
Can anyone point out any mistakes I might have made in the commands above? Is there anything to be concerned about when sha256sum passes, but the public key method does not?
Thank you if you can help.
Regards
Anthony
«
Last Edit: February 23, 2022, 12:09:54 am by antonym
»
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: openssl public key verification = Verification Failure
«
Reply #1 on:
February 22, 2022, 08:46:20 pm »
Hi Anthony,
.sig files are base64 encoded for portability reasons (be able to copy + paste them) so you do need to change them to binary signatures using the stated command:
openssl base64 -d -in <filename>.sig -out /tmp/image.sig
And then use /tmp/image.sig instead of OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig in the subsequent command for openssl dgst.
Cheers,
Franco
Logged
antonym
Newbie
Posts: 8
Karma: 1
Re: openssl public key verification = Verification Failure
«
Reply #2 on:
February 22, 2022, 09:17:57 pm »
Thank you Franco. I mis-interpreted the instructions and didn't apply the converson step. I appreciate you clarifying this important piece of the puzzle. I'll attempt this again later (stepping out now) and report back here...
Best regards
Anthony
Logged
antonym
Newbie
Posts: 8
Karma: 1
[SOLVED]: openssl public key verification = Verification Failure
«
Reply #3 on:
February 23, 2022, 12:08:19 am »
Thanks to Franco pointing out what I was missing, I was able to correct my steps and get back on track with successful results. Here were the command line steps I used to verify the download by using sha256 and openssl.
1. Download all files directly (my download folder is Downloads). In my case, I downloaded the files from
https://mirrors.nycbug.org/pub/opnsense/releases/mirror/
. The README file contains the public key (one of a few that I checked from different sources, and they all matched):
https://mirrors.nycbug.org/pub/opnsense/releases/mirror/README
2. The written instructions for verifying the image file are found at
https://docs.opnsense.org/manual/install.html
3. Then from within the terminal enter the following commands in the sequence listed.
anthony@opensusebox:~> cd Downloads
anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-22.1.pub
OPNsense-22.1.pub.sig
anthony@opensusebox:~/Downloads> sha256sum OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig -out sha256conversion.byme.sig
anthony@opensusebox:~/Downloads> ls
OPNsense-22.1-OpenSSL-checksums-amd64.sha256
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
OPNsense-22.1.pub
sha256conversion.byme.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-22.1.pub.sig
anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature sha256conversion.byme.sig OPNsense-22.1-OpenSSL-checksums-amd64.sha256
Verified OK
anthony@opensusebox:~/Downloads> openssl base64 -d -in OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig -out image.sig
anthony@opensusebox:~/Downloads> ls
image.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256.sig
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2.sig
OPNsense-22.1.pub.sig
OPNsense-22.1-OpenSSL-checksums-amd64.sha256
OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
OPNsense-22.1.pub
sha256conversion.byme.sig
anthony@opensusebox:~/Downloads> openssl dgst -sha256 -verify OPNsense-22.1.pub -signature image.sig OPNsense-22.1-OpenSSL-vga-amd64.img.bz2
Verified OK
anthony@opensusebox:~/Downloads>
Done. Then off to creating the bootable USB according to instructions at
https://opnsense.org/users/get-started/
--------
Anthony
«
Last Edit: February 23, 2022, 06:18:02 pm by antonym
»
Logged
fermulator
Newbie
Posts: 1
Karma: 0
Re: [SOLVED]: openssl public key verification = Verification Failure
«
Reply #4 on:
April 09, 2022, 01:56:42 am »
Shall we request to update/fix the documentation?
https://docs.opnsense.org/manual/install.html#download-and-verification
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: [SOLVED]: openssl public key verification = Verification Failure
«
Reply #5 on:
April 11, 2022, 09:06:50 am »
The instructions are correct.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
[SOLVED]: openssl public key verification = Verification Failure