Open freethinkpad opened 2 years ago
gellatofresh
commented
2 years ago This is late but should another be reading this...
You need to gather the autors PGP key, and add it.
After that, download what will come in a pair such as -gpg --verify <ffile.tar.xz.asc>
Of course I will assume one knows to cd to the containing directory. You could also drag and drop that file onto terminal instead of writing in whats contained <>
gellatofresh
commented
2 years ago Ideally you can verify the provided hashes, if they are given this way. Then with confidence verify the checksum
merge
commented
2 years ago yes, in principal that should work - although I'd recommend just flashing a trusted (and possibly newer) version instead. With Skulls, that's the only way to ensure the integrity. For real integrity verification, look into running Heads.
secretmango
commented
1 year ago Where can we find your PGP key @merge ?
merge
commented
1 year ago Where can we find your PGP key @merge ?
that's my key: http://pgp.mit.edu/pks/lookup?op=get&search=0x500398DF5AB387D3
stafwag
commented
1 year ago @merge Is your GPG key changed? I seems to be updated to 5352AD9973658B23BA379F702F708E4A5064D6B Is this correct?
merge
commented
1 year ago @merge Is your GPG key changed? I seems to be updated to 5352AD9973658B23BA379F702F708E4A5064D6B Is this correct?
this is my new signing subkey, yes. F2082B880F9E423934686E3F500398DF5AB387D3 is the "key" where my (changing because I let them expire) subkeys belong to.
stafwag
commented
1 year ago @merge ok. Nice perhaps just add link in README.md to your homepage or another place were you publish the public key?
I used to verify it on https://martin.bet/ but your site seems to be down :-)
Thanks for your great work on this project BTW!
suddenlyfleck
commented
1 year ago Dear @merge
first and foremost: Thanks for your work! skulls is great and you provide such a streamlined experience here - I love it.
Trouble is: verifying the build.
Solution would be: Please document a working way how to obtain your correct PGP key! Pleeease.
Here's the journey of my troubles:
gpg --verify skulls-1.0.8.tar.xz.asc skulls-1.0.8.tar.xz
gpg: Signature made Tue 13 Jun 2023 04:39:33 PM CEST
gpg: using RSA key 45352AD9973658B23BA379F702F708E4A5064D6B
gpg: Can't check signature: No public keyok lets get the key
gpg --keyserver keyserver.ubuntu.com --search-keys 45352AD9973658B23BA379F702F708E4A5064D6B
gpg --search-keys 45352AD9973658B23BA379F702F708E4A5064D6Bboth don't work and give back
gpg: key "45352AD9973658B23BA379F702F708E4A5064D6B" not found on keyserver
gpg: keyserver search failed: Not foundBut this is the only information I get when downloading a release of yours - the asc file.
Maybe I can find out the fingerprint from that and then use gpg --receive-keys? (but honestly, who knows that shit from the top of one's head?)
Anyway, I google how to get the fingerprint and find something like
gpg -nq --import --import-options import-show --with-colons skulls-1.0.8.tar.xz.asc
gpg: no valid OpenPGP data found.looked strange, did not work. Surprise? Maybe not.
Lets google to find your key. I land on this very page where I'm writing you now. I find your answer here: https://github.com/merge/skulls/issues/226#issuecomment-1366117958
Great! Your key! Finally! I click the link you post and find the fingerprint "0x500398df5ab387d3" So now:
gpg --receive-keys 0x500398df5ab387d3
gpg: key 500398DF5AB387D3: public key "Martin Kepplinger <martink@posteo.de>" imported
gpg: Total number processed: 1
gpg: imported: 1Finally! :laughing:
gpg --verify skulls-1.0.8.tar.xz.asc skulls-1.0.8.tar.xz
gpg: Signature made Tue 13 Jun 2023 04:39:33 PM CEST
gpg: using RSA key 45352AD9973658B23BA379F702F708E4A5064D6B
gpg: Can't check signature: No public keyNo :disappointed:
gpg --search-keys 0x500398df5ab387d3
gpg: data source: https://162.213.33.9:443
(1) Martin Kepplinger <martink@posteo.de>
Martin Kepplinger <martin.kepplinger@puri.sm>
Martin Kepplinger <martink@posteo.at>
4096 bit RSA key 500398DF5AB387D3, created: 2015-03-20
Keys 1-1 of 1 for "0x500398df5ab387d3". Enter number(s), N)ext, or Q)uit > 1
gpg: key 500398DF5AB387D3: "Martin Kepplinger <martink@posteo.de>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1ok Nothing new here, but your EMAIL ADDRESS. great Also möglicherweise ein Landsmann von mir. Supercool. [Edit: nun hab ich gesehen, Österreich. Auch geil] Ich bin mir auch bewusst, die PGP Scheisse ist halt alt und war vieleicht mal in Grundzuegen eine tolle Sache aber ... it's great that moxie put mostly and end to this PGP stuff. Anyway YOUR EMAIL ADDRESS, GREAT
gpg: data source: https://162.213.33.9:443
(1) Martin Kepplinger <martink@posteo.de>
Martin Kepplinger <martin.kepplinger@puri.sm>
Martin Kepplinger <martink@posteo.at>
4096 bit RSA key 500398DF5AB387D3, created: 2015-03-20
(2) Martin Kepplinger <martink@posteo.at>
Martin Kepplinger <martink@posteo.de>
Martin Kepplinger <martink.tor@posteo.de>
Martin Kepplinger <martin.kepplinger@theobroma-systems.com>
4096 bit RSA key C100D7B57F2A1E26, created: 2010-05-16
Keys 1-2 of 2 for "martink@posteo.de". Enter number(s), N)ext, or Q)uit > 1ok the other key is older, won't help I guess. I scroll through this thread some more and find the link to your website https://martin.bet/ Your PGP key is linked here! Great.
I read
We found an entry for F2082B880F9E423934686E3F500398DF5AB387D3.
https://keys.openpgp.org/vks/v1/by-fingerprint/F2082B880F9E423934686E3F500398DF5AB387D3
Hint: It's more convenient to use keys.openpgp.org from your OpenPGP software. Take a look at our usage guide for details.
I follow the instruction closely, see that "hint" and because it's "more convenient" I
use keys.openpgp.org from your OpenPGP software.
gpg --keyserver keys.openpgp.org --search-keys F2082B880F9E423934686E3F500398DF5AB387D3
gpg: data source: http://keys.openpgp.org:11371
(1) 4096 bit RSA key 500398DF5AB387D3, created: 2015-03-20
Keys 1-1 of 1 for "F2082B880F9E423934686E3F500398DF5AB387D3". Enter number(s), N)ext, or Q)uit > 1
gpg: key 500398DF5AB387D3: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1:sob:
So I download this file that's linked there and import it
gpg --import F2082B880F9E423934686E3F500398DF5AB387D3.asc
gpg: key 500398DF5AB387D3: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1So I take a closer look at this website:
Take a look at our usage guide for details.
and I go there and I find something like
To locate the key of a user, by email address:
gpg --auto-key-locate keyserver --locate-keys user@example.net
So I do
b@fedo ~/t/skulls> gpg --auto-key-locate keyserver --locate-keys martink@posteo.de
gpg: key 500398DF5AB387D3: public key "Martin Kepplinger <martink@posteo.de>" imported
gpg: key C100D7B57F2A1E26: public key "Martin Kepplinger <martink.tor@posteo.de>" imported
gpg: Total number processed: 2
gpg: imported: 2
gpg: error retrieving 'martink@posteo.de' via keyserver: No fingerprint
b@fedo ~/t/skulls> gpg --verify skulls-1.0.8.tar.xz.asc skulls-1.0.8.tar.xz
gpg: Signature made Tue 13 Jun 2023 04:39:33 PM CEST
gpg: using RSA key 45352AD9973658B23BA379F702F708E4A5064D6B
gpg: Can't check signature: No public keyI have started to doubt my life long before this point, but now it's hitting me hard :joy:
By the way - I have two computers that use your skulls. (Thanks again for your work). YESTERDAY, on the other computer, I managed to do this (different physical location, tho. Have it nothere). Right now I'm taking already 30 minutes to do that, and YESTERDAY it took me 30 minutes. Yet, I have not sucessfully verified anything but the failure of my life's choice to be a user of PGP (sorry Phil, you did great and important work at your time).
So back on track:
So back on track:
I look again at what I want to do and what I have actually done so far. The goal is: I need to find the key 45352AD9973658B23BA379F702F708E4A5064D6B And the problem is: I can't find it.
suddenlyfleck
commented
1 year ago The solution is these two steps, in this order:
gpg --auto-key-locate keyserver --locate-keys martink@posteo.de
gpg --keyserver keys.openpgp.org --search-keys 45352AD9973658B23BA379F702F708E4A5064D6BPLEASE document this somewhere visible!
This took me 1.5h of my life
suddenlyfleck
commented
1 year ago I took the liberty to
gpg --keyserver keyserver.ubuntu.com --send-keys 45352AD9973658B23BA379F702F708E4A5064D6B F2082B880F9E423934686E3F500398DF5AB387D3 7346FE0227C33958813AC351C100D7B57F2A1E26
gpg: sending key 500398DF5AB387D3 to hkp://keyserver.ubuntu.com
gpg: sending key 500398DF5AB387D3 to hkp://keyserver.ubuntu.com
gpg: sending key C100D7B57F2A1E26 to hkp://keyserver.ubuntu.comNow (that is: now, after executing the above, not 20 minutes ago)
gpg --keyserver keyserver.ubuntu.com --search-keys 45352AD9973658B23BA379F702F708E4A5064D6Bworks too. And I guess/hope over time your public key should be synced around to other servers and land in the default keysevers of debian, fedora, etc.
Shoutout to keys.openpgp.org for the dumbest idea I have encountered in 2023: stripping email addresses from keys and making the hard-to-use PGP anachronism straight-up impossible to use.
merge
commented
1 year ago sorry, looks like the signing-subkey I used had not been pushed to the keyservers. thanks for verifying!
stafwag
commented
1 year ago @merge Perhaps you can to documentation were/how to find/get public key to verify the download. After this is done we can close this issue I guess :-)
Hello!
I wanted a Thinkpad with coreboot, so I bought a X230 with Skulls already installed. However, I fear that it could have been tampered. Could I verify the integrity of the installation?
I looked it up and the only thing I found is this comment on Reddit: https://www.reddit.com/r/libreboot/comments/9dnj7b/how_can_i_verify_that_libreboot_hasnt_been/e6ellpj
I don't know if I could use this command to read the flashed image:
flashrom -p internal -r fileAnd then compare its hash SHA1 with the one of free-defconfig-74d2218cc7 or nonfree-defconfig-74d2218cc7
Could you give me a hand please? Thank you!