Verifying DVDs
How to Verify a Raptor Computing Systems Source DVD
Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.
Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: The Chain Of Trust. You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware.
Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for /dev/sr0
. Insert the source DVD into the drive before beginning.
isoinfo -d -i /dev/sr0 | grep -E "block size|Volume size"
Look for the "Block size" and "Volume size" values, then create the ISO image using dd
:
dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size>
Once created, you may verify the ISO with GPG:
gpg --verify <GPG signature file> source.iso
Verify Without Saving ISO:
gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)
E.g.
gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)
Using gnupg to Verify The Chain of Trust Back to Raptor
Note: Your iso will most likely not be signed with the same key/fingerprint that is included in your letter. However it is possible to trace the signatures all the way back to the master signing key from Raptor.
Brief overview of the signing chain hierarchy:
ISO Signed by intermediate key. Signed by Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com> Fingerprint (9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F) (Verify this against your letter and others in IRC channel!)
Find your iso version from your letter and download the correct signature file from https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/
In this example we will be using v1.03. The actual keys differ for other versions.
wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc
It is assumed that your iso has already been saved as source.iso. If you have not done so, please dump your iso using the directions above.
Verify the iso signature:
gpg --verify talos_recover_disk_v.103.iso.asc source.iso
If you see this message, you need to import the signing key:
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
gpg: using RSA key 101A7EF8EF283DDC
gpg: Can't check signature: No public key
You can import this signing key like this:
gpg --recv-keys 101A7EF8EF283DDC
Which will return something like:
gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
After you have the signing key you can attempt to verify the iso again.
gpg --verify talos_recover_disk_v.103.iso.asc source.iso
Now you should see something like (Note: Some isos are signed by sales@raptorcs.com and others are signed by support@raptorcs.com):
gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
gpg: using RSA key 101A7EF8EF283DDC
gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]
gpg: support@raptorcs.com: Verified 1 signature in the past 10 days. Encrypted
0 messages.
gpg: Warning: we've only seen one message signed using this key and user id!
gpg: Warning: you have yet to encrypt a message to this key!
gpg: Warning: if you think you've seen more signatures by this key and user
id, then this key might be a forgery! Carefully examine the email address
for small variations. If the key is suspect, then use
gpg --tofu-policy bad D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
to mark it as being bad.
gpg: WARNING: This key is not certified with sufficiently trusted signatures!
gpg: It is not certain that the signature belongs to the owner.
Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E F5FD 101A 7EF8 EF28 3DDC
Great, now we've verified that this ISO was signed support@raptorcs.com, but how do we know that the key that signed the ISO belongs to Raptor? In this case, the ISO was signed by 101A7EF8EF283DDC.
gpg --list-signatures 101A7EF8EF283DDC
Shows you what this key was signed by:
pub rsa4096 2018-04-25 [SC] [expires: 2019-01-20]
D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
uid [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
sig 3 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
sig 9B2BF5BD337BF51F 2018-04-25 Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
sub rsa4096 2018-04-25 [E] [expires: 2019-01-20]
sig 101A7EF8EF283DDC 2018-04-25 Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
Here we can see that 101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>.
gpg --fingerprint 9B2BF5BD337BF51F
pub rsa4096 2018-04-16 [SC]
9C2A 6E8F AEA7 EE92 1EFD 4891 9B2B F5BD 337B F51F
uid [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
sub rsa4096 2018-04-16 [E]
Again, verify this fingerprint with others in IRC and your received letter.
The Chain of Trust
Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.
PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common.
As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation.
This forms something of a chain of trust that looks like the following:
- You and the message you wish to verify;
- Genuineness of the message attested by the Digital Signature;
- Production of the Digital Signature using the Firmware Signing Key;
- Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input.
The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.