# I can't verify the integrity of the iso with GPG: several errors



## fufukauliza (Mar 24, 2021)

Hello everyone, I am a freebsd newbie and, as I wanted to install it to start using it, I downloaded the version 12.2 iso FreeBSD-12.2-RELEASE-amd64-dvd1.iso with relative .asc file CHECKSUM.SHA512-FreeBSD-12.2- RELEASE-amd64.asc and the checksum file CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.
Furthermore, having read another thread explaining how to do it, I also downloaded the .txt file with all the pgpkeyring.txt signatures as specified on this page: https://docs.freebsd.org/en_US.ISO8859-1/books /handbook/pgpkeys.html.
I imported all the keys on the file with the gpg --import pgpkeyring.txt
Then I ran the first check like this: gpg --verify CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.asc

I get the following message back:

gpg: Good signature from  ecc ecc but at the end with this warning:

gpg: WARNING: not a detached signature; file 'CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64' was NOT verified!

I subsequently wanted to do the second verification in this way:
gpg --verify CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.asc FreeBSD-12.2-RELEASE-amd64-dvd1.iso
I get the following message back:

gpg: not a detached signature.

If I check with other software the checksum512 by taking it from the file with all the checksum the iso is ok but I also wanted to do the GPG verification to be sure everything is really ok.

What am I doing wrong?

Thank you all.


----------



## decuser (Mar 28, 2021)

I'm looking at the download page:


			Index of /ftp/releases/amd64/amd64/ISO-IMAGES/12.2/
		

I don't see any .asc files. Where'd you download from?

Open CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.asc with a text editor, does it contain a GPG signature?


----------



## fufukauliza (Mar 28, 2021)

Hi decuser,

i download .asc file from this page: https://www.freebsd.org/releases/12.2R/signatures/
If i open .asc file with text editor I confirm that it contains such as the GPG signature as you can verify yourself.

Thanks for your help.


----------



## decuser (Mar 29, 2021)

Well, I'm not sure why they chose to use clearsigned files, but here's what the gnupg docs say about these signed docs:


> A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original.


The issue is that the clearsign that wraps the content changes the digest of the file. So, removing it without screwing things up is dicey. The freebsd folks should provide detached ascii armored signatures. That way, you could verify them as you are trying to do. As it is, you could just try to figure out what the original text was and put the signature in a separate file, but I wouldn't bother. Just download the checksum file from the main ftp site and use shasum for the check. It's pretty unlikely the ftp site has been compromised without anyone noticing. Or just check against the shasums in the clearsigned doc, they look ok too.


----------



## decuser (Mar 29, 2021)

Actually,

It works fine. Just do `gpg --verify CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.asc`

This checks the contents and reports Good Signature, if the contents are in their original state, and Bad Signature, if they've been changed. To convince yourself, just modify the contents and run the verify.

What you are verifying is the contents of CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.asc, which contains the shasums for the ISOs..


----------



## fufukauliza (Apr 12, 2021)

decuser 

Sorry for the delay in answering. I tried to deepen and despite being a novice to gpg I think I understand what you have explained to me and that therefore I can feel reasonably calm about the integrity of the files.
Also from what I understand, the ideal would have been to have a totally separate signature which I believe would have facilitated and made everything clearer.
However, I still can't understand what kind of greater security entails having the signature not separated and therefore twice the hashes of the images.
The signature integrated in the same file of the hashes I understood that it confirms that the same are correct but you must still do another manual check to confirm that they are identical to those contained in the file CHECKSUM.SHA512-FreeBSD-12.2-RELEASE-amd64.
Meanwhile, thanks again for your availability.


----------

