iso verification

Started by lumilumi, Today at 12:18:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:18:47 AM
hi! I'm brand new to this and I was wondering if I could get some help with this part of the instructions on installation --

im trying to verify my iso before installing - but I can't get this part of the instructions to work:


https://docs.opnsense.org/manual/install.html#download-and-verification
If the checksums match, continue with the verification commands.

openssl base64 -d -in OPNsense-<filename>.<image>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify OPNsense-<filename>.pub -signature /tmp/image.sig OPNsense-<filename>.<image>


I have changed the file name to actual file name -- but the command says:
cannot verify two files at once


I verified pub key and checksum 256 -- but this part of the commands won't work for me
any tips? i'm very new!
any help greatly appreciated
i'm so new I haven't even sprouted my leaves yet
Today at 03:14:36 AM #1
I think there may be an error in the guide / or at least some unclearness

- needing to nano in a new file .pub -- for the public key
- as well as a bit of unclearness about whether you uncompress before or after checking the checksum 256

I think if you compress after it provides an incorrect checksum
but if you checksum the compressed file it provides the correct checksum256
i'm so new I haven't even sprouted my leaves yet
Today at 06:29:38 AM #2
Let's see what is needed by using the lastes 26.1.6 nano as an example. The referenced guide writes:

QuoteOpenSSL is used for image file verification. 4 files are needed for verification process:
  • The SHA-256 checksum file (<filename>.sha256)
  • The bzip-compressed image file (<filename>.<image>.bz2)
  • The signature file for the uncompressed image file (<filename>.<image>.sig)
  • The OpenSSL public key (<filename>.pub)

  • For "The SHA-256 checksum file", "<filename>.sha256" refers to "OPNsense-26.1.6-checksums-amd64.sha256"
  • For "The bzip-compressed image file", "<filename>.<image>.bz2" refers to "OPNsense-26.1.6-nano-amd64.img.bz2"
  • For "The signature file for the uncompressed image file", "<filename>.<image>.sig" refers to "OPNsense-26.1.6-nano-amd64.img.sig"
  • For "The OpenSSL public key", "<filename>.pub" refers to "OPNsense-26.1.pub"

"<filename>" does mean different things here, which can be a bit confusing.

With that the process would be as follows:

  • verify the *.pub file content by comparing it from two different sources
  • Verify the compressed image: 'openssl sha256 OPNsense-26.1.6-nano-amd64.img.bz2'
  • Convert the signature file to base64: 'openssl base64 -d -in OPNsense-26.1.6-nano-amd64.img.sig -out /tmp/image.sig'
  • Verify the uncompressed image file against it's signature and the public key: 'openssl dgst -sha256 -verify OPNsense-26.1.pub -signature /tmp/image.sig OPNsense-26.1.6-nano-amd64.img'

Could you elaborate which part you did find confusing and need clarification?

Quoteneeding to nano in a new file .pub -- for the public key
Not sure what you want to say here.

Quoteas well as a bit of unclearness about whether you uncompress before or after checking the checksum 256

Since "openssl sha256 OPNsense-<filename>.bz2" ends in "bz2" you can be sure that for the sha256 checksum the compressed file is needed. And later it then mentions in the warning "Make sure to unpack the image using bunzip2 before verifying". So checksum => compressed image, verification => uncompressed image.
Deciso DEC740
Today at 07:01:14 AM #3
thank you!
i'm so new I haven't even sprouted my leaves yet
Print
Go Up Pages1
User actions