Image verification error

[fbantgat7]

Not sure what I'm doing wrong:

Code: [Select]

$ openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

$ openssl base64 -d -in OPNsense-24.1-checksums-amd64.sha256.sig -out /tmp/image.sig

$ openssl dgst -sha256 -verify OPNsense-24.1.pub -signature /tmp/image.sig OPNsense-24.1-checksums-amd64.sha256
Verified OK

$ sha256sum -c OPNsense-24.1-checksums-amd64.sha256
sha256sum: OPNsense-24.1-dvd-amd64.iso.bz2: No such file or directory
OPNsense-24.1-dvd-amd64.iso.bz2: FAILED open or read
sha256sum: OPNsense-24.1-nano-amd64.img.bz2: No such file or directory
OPNsense-24.1-nano-amd64.img.bz2: FAILED open or read
OPNsense-24.1-serial-amd64.img.bz2: OK
sha256sum: OPNsense-24.1-vga-amd64.img.bz2: No such file or directory
OPNsense-24.1-vga-amd64.img.bz2: FAILED open or read
sha256sum: WARNING: 3 listed files could not be read

$ openssl base64 -d -in OPNsense-24.1-serial-amd64.img.sig -out /tmp/image.sig

$ openssl dgst -sha256 -verify OPNsense-24.1.pub -signature /tmp/image.sig OPNsense-24.1-serial-amd64.img.bz2
Verification failure
40B71F91A37F0000:error:02000068:rsa routines:ossl_rsa_verify:bad signature:../openssl-3.0.12/crypto/rsa/rsa_sign.c:430:
40B71F91A37F0000:error:1C880004:Provider routines:rsa_verify:RSA lib:../openssl-3.0.12/providers/implementations/signature/rsa_sig.c:774:
I tried different mirrors, but get the same result.

[Patrick M. Hausen]

You downloaded the serial image and it verified ok. The other images are not present in your current directory.

[franco]

The signature is for the uncompressed images now due to popular demand. So you can check the checksum of the archived file and the resulting file with the signature... notice the differing file extensions


Cheers,
Franco

[fbantgat7]

Thanks, the decompressed image verifies OK. 

Code: [Select]

$ openssl dgst -sha256 -verify OPNsense-24.1.pub -signature /tmp/image.sig OPNsense-24.1-serial-amd64.img
Verified OK
However the manual still mentions the .bz2 image.

[franco]

I know, I know.


Cheers,
Franco

[rkubes]

Thanks, the decompressed image verifies OK. 

Code: [Select]

$ openssl dgst -sha256 -verify OPNsense-24.1.pub -signature /tmp/image.sig OPNsense-24.1-serial-amd64.img
Verified OK
However the manual still mentions the .bz2 image.

If bash is available, a shortcut to avoid decompressing the image to disk is to use process substitution to decompress the image as it's read into openssl. This is useful if you're just looking to archive the image files for backup/DR purposes, without wanting to take up the disk space of decompressing them ahead of time.

The following snippet assumes the variable $sig is the filename to the ".sig" file and likewise that $pub is the filename of the ".pub" file. Other shells may have similar functionality.

Code: [Select]

$ openssl base64 -d -in ${sig} -out - | \
    openssl dgst -sha256 -verify $pub -signature /dev/stdin <(bzip2 -cdv ${sig::-4}.bz2)

The above snippet is from a more complete script I wrote that automates checking the checksums and signatures of all the release files after I download them to a folder. I just run the script from within that download directory. It assumes you've already manually verified the primary ".pub" key for that release. I'm sure it's not ideal, but I'll post it below in case it's useful to anyone. I just updated it to be able to handle whether the ".sig" files are for the compressed or uncompressed image (so long as that compression is bz2).

Code: [Select]

#!/bin/bash
sha256sum -c ./OPNsense*.sha256
for pub in ./*.pub
do
    for sig in ${pub::-4}*.sig
    do
        echo "Verifying signature: $sig"
        if [ -f ${sig::-4} ]
        then
            openssl base64 -d -in ${sig} -out - | \
                openssl dgst -sha256 -verify $pub -signature /dev/stdin ${sig::-4}
        elif [ -f ${sig::-4}.bz2 ]
        then
            echo "File is compressed with bzip, will decompress in pipe..."
            openssl base64 -d -in ${sig} -out - | \
                openssl dgst -sha256 -verify $pub -signature /dev/stdin <(bzip2 -cdv ${sig::-4}.bz2)
        else
            echo "Error: Could not find source file to compare..."
        fi
    done
done



[franco]

@rkubes nice trick, thanks!

I adjust the docs: https://github.com/opnsense/docs/commit/6950921b