verify-keys.md 7.02 KB
Newer Older
1 2 3 4 5 6 7
---
title: 'Hash and Key Verification'
taxonomy:
    category:
        - docs
visible: true
---
disrupttheflow's avatar
disrupttheflow committed
8 9
# Key verification

10
## Why should anyone verify keys and signatures?
disrupttheflow's avatar
disrupttheflow committed
11 12 13 14 15 16 17

Most people — even programmers — are confused about the basic concepts underlying digital signatures. Therefore, most people should read this section, even if it looks trivial at first sight.

Digital signatures can prove both authenticity and integrity to a reasonable degree of certainty. Authenticity ensures that a given file was indeed created by the person who signed it (i.e., that it was not forged by a third party). Integrity ensures that the contents of the file have not been tampered with (i.e., that a third party has not undetectably altered its contents en route).

Digital signatures cannot prove any other property, e.g., that the signed file is not malicious. In fact, there is nothing that could stop someone from signing a malicious program (and it happens from time to time in reality).

18
The point is that we must decide who we will trust (e.g., Linus Torvalds, Microsoft, or the Parrot Project) and assume that if a given file was signed by a trusted party, then it should not be malicious or negligently buggy. The decision of whether to trust any given party is beyond the scope of digital signatures. It’s more of a sociological and political decision.
disrupttheflow's avatar
disrupttheflow committed
19 20 21 22 23

Once we make the decision to trust certain parties, digital signatures are useful, because they make it possible for us to limit our trust only to those few parties we choose and not to worry about all the bad things that can happen between us and them, e.g., server compromises (parrotsec.org will surely be compromised one day, so don’t blindly trust the live version of this site), dishonest IT staff at the hosting company, dishonest staff at the ISPs, Wi-Fi attacks, etc.

By verifying all the files we download that purport to be authored by a party we’ve chosen to trust, we eliminate concerns about the bad things discussed above, since we can easily detect whether any files have been tampered with (and subsequently choose to refrain from executing, installing, or opening them).

24
However, for digital signatures to make any sense, we must ensure that the public keys we use for signature verification are indeed the original ones. Anybody can generate a GPG key pair that purports to belong to the “Parrot OS” but of course only the key pair that we (i.e., the Parrot Team) generated is the legitimate one. The next section explains how to verify the validity of the ParrotOS signing keys in the process of verifying a ParrotOS ISO. (However, the same general principles apply to all cases in which you may wish to verify a PGP signature, such as verifying repositories, not just ISOs.)
disrupttheflow's avatar
disrupttheflow committed
25 26 27 28




29
## Fetch the key - Verify the repositories
disrupttheflow's avatar
disrupttheflow committed
30

31
Optional: Complete the steps below if unfamiliar with GnuPG or if they haven't already been performed. This will fix eventual GPG: WARNING: unsafe ownership warnings. 
disrupttheflow's avatar
disrupttheflow committed
32 33
1 .First have GnuPG initialize your user data folder.
```bash
34
    [user@parrot ~]$ gpg --fingerprint
disrupttheflow's avatar
disrupttheflow committed
35 36
```

disrupttheflow's avatar
disrupttheflow committed
37
2. Set warning free permissions.
disrupttheflow's avatar
disrupttheflow committed
38
```bash
39
    [user@parrot ~]$ chmod --recursive og-rwx ~/.gnupg
disrupttheflow's avatar
disrupttheflow committed
40 41
```

42
3. Get the ParrotOS key.
disrupttheflow's avatar
disrupttheflow committed
43
```bash
44
    wget -q -O - https://deb.parrotsec.org/parrot/misc/parrotsec.gpg | gpg --import
disrupttheflow's avatar
disrupttheflow committed
45 46 47
```
or
```bash 
48 49 50
    [user@parrot ~]$ gpg --keyserver hkp://keys.gnupg.net --recv-key 3B3EAB807D70721BA9C03E55C7B39D0362972489
    [user@parrot ~]$ gpg --list-keys --with-fingerprint 3B3EAB807D70721BA9C03E55C7B39D0362972489 
    [user@parrot ~]$ gpg --export --armor 3B3EAB807D70721BA9C03E55C7B39D0362972489 > parrot-key.asc
disrupttheflow's avatar
disrupttheflow committed
51 52 53 54
```

4. Check fingerprints/owners without actually importing anything.
```bash
55
    [user@parrot ~]$ gpg --keyid-format long --with-fingerprint parrot-key.asc
disrupttheflow's avatar
disrupttheflow committed
56 57 58 59 60 61 62 63 64 65 66 67
```
5. Verify the output.
The output should be identical to the following.
```bash
    pub   rsa4096/C7B39D0362972489 2017-02-13 [SC]
    Key fingerprint = 3B3E AB80 7D70 721B A9C0  3E55 C7B3 9D03 6297 2489
    uid                           Parrot Project <team@parrotsec.org>
    sub   rsa4096/ED05F7B2EC3C9224 2017-07-03 [S]
```

6. Import the key.
```bash 
68
    [user@parrot ~]$ gpg --import parrot-key.asc
disrupttheflow's avatar
disrupttheflow committed
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
```
You should see something similar to this in the output:
```bash
    gpg: Total number processed: 1
    gpg: imported: 1  (RSA: 1)
```
If the key was already imported,the output should be similar to this:
```bash 
gpg: Total number processed: 1
gpg: unchanged: 1
```
If this appears at the end of the output:
```bash 
    gpg: no ultimately trusted keys found
```
84
Analyze the other messages as usual. This extra message does not relate to the ParrotOS signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance.
disrupttheflow's avatar
disrupttheflow committed
85

86
### Warning
disrupttheflow's avatar
disrupttheflow committed
87 88 89 90
	
Checking the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2018 and now see a signature from 2017, then this might be a targeted rollback (downgrade) or indefinite [freeze attack](https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md). 

The first line includes the signature creation timestamp. Example. 
disrupttheflow's avatar
disrupttheflow committed
91
##ISO verification 
disrupttheflow's avatar
disrupttheflow committed
92 93 94 95 96

### MD5Sum hash verification

#### GNU/Linux

disrupttheflow's avatar
disrupttheflow committed
97
1. After you obtained the ISO of your choice go here https://cdimage.parrotsec.org/parrot/iso/4.6/signed-hashes.txt to see the signed hashes.
disrupttheflow's avatar
disrupttheflow committed
98 99 100
2. On the first section where it says "MD5" find the hash that matches your downloaded IASO.For the purpose of this tutorial we will use "Parrot-home-4.5.1_amd64.iso".
3. Now run the following command.
```bash 
disrupttheflow's avatar
disrupttheflow committed
101
md5sum Parrot-home-4.6_amd64.iso
disrupttheflow's avatar
disrupttheflow committed
102 103 104
```
4. The above command should generate an outut like this
```bash
disrupttheflow's avatar
disrupttheflow committed
105
e5390f46ce916d7a027e6e4a25035698 
disrupttheflow's avatar
disrupttheflow committed
106 107 108
```
5. Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash on the page from Step 1.

109
An easy way to do this is to open the page from Step 1 in your browser, then copy the hash your machine calculated from the terminal into the "Find" box in your browser (in Firefox you can open the "Find" box by pressing <Ctrl> <F>).
disrupttheflow's avatar
disrupttheflow committed
110 111 112 113 114 115 116

When both hashes match exactly then the downloaded file is almost certainly intact. If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please be kind and notify the webmaster of that mirror so they can investigate the issue. 

### Other hashes

The method for other hashes such as SHA256 or SHA512 is exactly the same with the above guides only instead of md5 you must use the proper hash you want.For example.
```bash
disrupttheflow's avatar
disrupttheflow committed
117
sha512sum Parrot-home-4.6_amd64.iso
disrupttheflow's avatar
disrupttheflow committed
118 119 120
```
which will generate this
```bash
disrupttheflow's avatar
disrupttheflow committed
121
ef4042653ae599001b59ab8efc12648d7c63de64397b2c6848881adc52594b8e92bab0f9b22d81d81650bf1299faabf4d279b14fdfc8bb993335236adf571b27
122 123 124
```
&nbsp;

125
[Using Parrot](https://www.parrotsec.org/docs/info/start/) | [Troubleshooting](https://www.parrotsec.org/docs/trbl/start/) | [Linux Beginner Guide](https://www.parrotsec.org/docs/library/lbg-basics/) | [Home](https://www.parrotsec.org/docs/)