Difference between revisions of "Verifying DVDs"

From RCS Wiki
Jump to navigation Jump to search
Line 26: Line 26:
  
 
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code>
 
<code>gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)</code>
 +
 +
 +
==Using gnupg to Verify The Chain of Trust Back to Raptor==
 +
 +
Note: Your iso will most likely not be signed with the same key/fingerprint that is included in your letter. However it is possible to trace the signatures all the way back to the master signing key from Raptor.
 +
 +
Brief overview of the signing chain hierarchy:
 +
    ISO
 +
        Signed by intermediate key.
 +
            Signed by Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
 +
            Fingerprint (9C2A 6E8F AEA7 EE92 1EFD  4891 9B2B F5BD 337B F51F) (Verify this against your letter and others in IRC channel!)
 +
 +
'''Find your iso version from your letter and download the correct signature file''' from https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/
 +
 +
In this example we will be using v1.03. The actual keys differ for other versions.
 +
<code>wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc</code>
 +
 +
It is assumed that your iso has already been saved as source.iso. If you have not done so, please dump your iso using the directions above.
 +
 +
'''Verify the iso signature:'''
 +
<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code>
 +
 +
 +
'''If you see this message, you need to import the signing key:'''
 +
<code>
 +
    gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
 +
    gpg:                using RSA key 101A7EF8EF283DDC
 +
    gpg: Can't check signature: No public key
 +
</code>
 +
 +
 +
'''You can import this signing key like this:'''
 +
    <code>gpg --recv-keys 101A7EF8EF283DDC</code>
 +
 +
 +
'''Which will return something like:'''
 +
<code>
 +
    gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported
 +
    gpg: no ultimately trusted keys found
 +
    gpg: Total number processed: 1
 +
    gpg:              imported: 1
 +
</code>
 +
 +
 +
'''After you have the signing key you can attempt to verify the iso again.'''
 +
<code>gpg --verify talos_recover_disk_v.103.iso.asc source.iso</code>
 +
 +
'''
 +
Now you should see something like (Note: Some isos are signed by sales@raptorcs.com and others are signed by support@raptorcs.com):'''
 +
<code>
 +
    gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
 +
    gpg:                using RSA key 101A7EF8EF283DDC
 +
    gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]
 +
    gpg: support@raptorcs.com: Verified 1 signature in the past 10 days.  Encrypted
 +
        0 messages.
 +
    gpg: Warning: we've only seen one message signed using this key and user id!
 +
    gpg: Warning: you have yet to encrypt a message to this key!
 +
    gpg: Warning: if you think you've seen more signatures by this key and user
 +
        id, then this key might be a forgery!  Carefully examine the email address
 +
        for small variations.  If the key is suspect, then use
 +
          gpg --tofu-policy bad D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
 +
        to mark it as being bad.
 +
    gpg: WARNING: This key is not certified with sufficiently trusted signatures!
 +
    gpg:          It is not certain that the signature belongs to the owner.
 +
    Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E  F5FD 101A 7EF8 EF28 3DDC
 +
</code>
 +
 +
 +
'''Great, now we've verified that this ISO was signed support@raptorcs.com, but how do we know that the key that signed the ISO belongs to Raptor? In this case, the ISO was signed by 101A7EF8EF283DDC.'''
 +
<code>gpg --list-signatures 101A7EF8EF283DDC</code>
 +
 +
 +
'''Shows you what this key was signed by:'''
 +
<code>
 +
    pub  rsa4096 2018-04-25 [SC] [expires: 2019-01-20]
 +
          D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
 +
    uid          [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
 +
    sig 3        101A7EF8EF283DDC 2018-04-25  Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
 +
    sig          9B2BF5BD337BF51F 2018-04-25  Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
 +
    sub  rsa4096 2018-04-25 [E] [expires: 2019-01-20]
 +
    sig          101A7EF8EF283DDC 2018-04-25  Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
 +
</code>
 +
 +
 +
Here we can see that 101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>.
 +
<code>
 +
gpg --fingerprint 9B2BF5BD337BF51F
 +
    pub  rsa4096 2018-04-16 [SC]
 +
          9C2A 6E8F AEA7 EE92 1EFD  4891 9B2B F5BD 337B F51F
 +
    uid          [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
 +
    sub  rsa4096 2018-04-16 [E]
 +
</code>
 +
 +
 +
Again, verify this fingerprint with others in IRC and your received letter.
  
 
==The Chain of Trust==
 
==The Chain of Trust==

Revision as of 17:31, 17 August 2018

How to Verify a Raptor Computing Systems Source DVD

Raptor Computing Systems signs their source DVD images with their publicly available Sales Team GPG key. Verification of DVD contents is strongly recommended to ensure an authentic copy of the software and information contained thereon was received.

Shipments of the Talos II systems include both the source DVD and a letter with a QR Code containing the 40-character PGP Key Fingerprint of the firmware signing key, and a link to where the detached digital signature can be found. For more information on verification of the key itself used to sign the firmware releases, see: The Chain Of Trust. You will need a copy of this signature file along with an extracted ISO image from the DVD to verify the authenticity of the source DVD and the firmware.

Extracting an ISO image from the DVD can be accomplished with the following commands, substituting your DVD drive device node for /dev/sr0. Insert the source DVD into the drive before beginning.

isoinfo -d -i /dev/sr0 | grep -E "block size|Volume size"

Look for the "Block size" and "Volume size" values, then create the ISO image using dd:

dd if=/dev/sr0 of=source.iso bs=<block size> count=<volume size>

Once created, you may verify the ISO with GPG:

gpg --verify <GPG signature file> source.iso


Verify Without Saving ISO:

gpg --verify talos_recovery_disk_v1.0x.iso.asc <(dd if=/dev/cdrom bs=<block size> count=<volume size>)


E.g.

gpg --verify talos_recovery_disk_v1.02.iso.asc <(dd if=/dev/cdrom bs=2048 count=3861982)


Using gnupg to Verify The Chain of Trust Back to Raptor

Note: Your iso will most likely not be signed with the same key/fingerprint that is included in your letter. However it is possible to trace the signatures all the way back to the master signing key from Raptor.

Brief overview of the signing chain hierarchy:

   ISO
       Signed by intermediate key.
           Signed by Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
           Fingerprint (9C2A 6E8F AEA7 EE92 1EFD  4891 9B2B F5BD 337B F51F) (Verify this against your letter and others in IRC channel!)

Find your iso version from your letter and download the correct signature file from https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/

In this example we will be using v1.03. The actual keys differ for other versions. wget https://www.raptorcs.com/verification/gpg/talos_ii/recovery_disks/talos_recovery_disk_v1.03.iso.asc

It is assumed that your iso has already been saved as source.iso. If you have not done so, please dump your iso using the directions above.

Verify the iso signature: gpg --verify talos_recover_disk_v.103.iso.asc source.iso


If you see this message, you need to import the signing key:

   gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
   gpg:                using RSA key 101A7EF8EF283DDC
   gpg: Can't check signature: No public key


You can import this signing key like this:

   gpg --recv-keys 101A7EF8EF283DDC


Which will return something like:

   gpg: key 101A7EF8EF283DDC: public key "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" imported
   gpg: no ultimately trusted keys found
   gpg: Total number processed: 1
   gpg:               imported: 1


After you have the signing key you can attempt to verify the iso again. gpg --verify talos_recover_disk_v.103.iso.asc source.iso

Now you should see something like (Note: Some isos are signed by sales@raptorcs.com and others are signed by support@raptorcs.com):

   gpg: Signature made Mon 30 Apr 2018 04:44:08 PM MDT
   gpg:                using RSA key 101A7EF8EF283DDC
   gpg: Good signature from "Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>" [marginal]
   gpg: support@raptorcs.com: Verified 1 signature in the past 10 days.  Encrypted
        0 messages.
   gpg: Warning: we've only seen one message signed using this key and user id!
   gpg: Warning: you have yet to encrypt a message to this key!
   gpg: Warning: if you think you've seen more signatures by this key and user
        id, then this key might be a forgery!  Carefully examine the email address
        for small variations.  If the key is suspect, then use
          gpg --tofu-policy bad D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
        to mark it as being bad.
   gpg: WARNING: This key is not certified with sufficiently trusted signatures!
   gpg:          It is not certain that the signature belongs to the owner.
   Primary key fingerprint: D7E9 CE35 33F1 938C 6F8E  F5FD 101A 7EF8 EF28 3DDC


Great, now we've verified that this ISO was signed support@raptorcs.com, but how do we know that the key that signed the ISO belongs to Raptor? In this case, the ISO was signed by 101A7EF8EF283DDC. gpg --list-signatures 101A7EF8EF283DDC


Shows you what this key was signed by:

   pub   rsa4096 2018-04-25 [SC] [expires: 2019-01-20]
         D7E9CE3533F1938C6F8EF5FD101A7EF8EF283DDC
   uid           [marginal] Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
   sig 3        101A7EF8EF283DDC 2018-04-25  Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>
   sig          9B2BF5BD337BF51F 2018-04-25  Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
   sub   rsa4096 2018-04-25 [E] [expires: 2019-01-20]
   sig          101A7EF8EF283DDC 2018-04-25  Raptor Computing Systems Firmware Signer (2018) (2018 Firmware Signer) <support@raptorcs.com>


Here we can see that 101A7EF8EF283DDC was signed by 9B2BF5BD337BF51F Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>. gpg --fingerprint 9B2BF5BD337BF51F

   pub   rsa4096 2018-04-16 [SC]
         9C2A 6E8F AEA7 EE92 1EFD  4891 9B2B F5BD 337B F51F
   uid           [marginal] Raptor Computing Systems Primary Signer (Umbrella Signer) <authentication@raptorcs.com>
   sub   rsa4096 2018-04-16 [E]


Again, verify this fingerprint with others in IRC and your received letter.

The Chain of Trust

Digital signatures offer sender authentication (a guarantee of who sent the message) as well as provide message integrity (a guarantee that the message has not been altered since the sender authorized it), on one crucial, pivotal condition: that the key itself can be verified to actually belong to who it purports to belong to. If this condition is not met, an adversary could simply change the keys and replace the signatures on a counterfeit disk with one of their own, then impersonate the sender to recipient or vice-versa.

PGP was originally designed with the implicit assumption that the sender and recipient would either be able to meet each other in person to determine the validity of their keys, or would know "trusted introducers" that they believed to be trustworthy that could do so on their behalf through the use of the PGP "Web Of Trust". This "Web Of Trust" model is impractical when the sender and recipient do not know each other and are not in a position where they could meet in person or have any trusted friends in common.

As an alternative to this, Raptor has included a letter marked "Important Information" that is included with all Talos IIs. This letter contains a QR code which encodes the PGP key fingerprint of the key used to sign the firmware. The QR code is marked with Raptor Computing System's logo and should be on the opposite side of the letter. When scanned with any QR Code reading application, it will contain the 40-character plain text hexadecimal SHA-1 fingerprint used to uniquely prove the key's uniqueness. Please note that this format is not compatible with Android OpenKeyChain's "Scan From QR Code" function, and simply gives the raw 40-character fingerprint without spaces or comma separation.

This forms something of a chain of trust that looks like the following:

  • You and the message you wish to verify;
  • Genuineness of the message attested by the Digital Signature;
  • Production of the Digital Signature using the Firmware Signing Key;
  • Verification of the Hash of the Firmware Signing Key via the QR Code included in Raptor's "Important Information" Letter, and possibly out of band, such as via a phone call or by contacting another Talos owner you trust over an end-to-end secure and authenticated channel to get their input.

The digital signatures provided by Raptor's Website, as well as the copies of the keys may then be obtained from an untrusted source, such as via the outside, untrusted internet, as long as the Key Fingerprint matches and the package has not been disturbed or surreptitiously modified while in transit.