πŸ’Ύ πŸ’Ώ PGP Signature Verification πŸ–ŠοΈ πŸ” ...

πŸ’Ύ πŸ’Ώ PGP Signature Verification πŸ–ŠοΈ πŸ” (Integrity: Security Essentials)

Feb 25, 2022

image

For if you install Linux, or another operating systems, and neglect to verify the integrity of that image (using checksum and/or PGP signature), you may very well be left questioning the trust of everything on that system thereafter.

(don't make the mistake of skipping these vital steps)

We covered integrity before, utilizing checksum verification. Both individually, and an entire system.

Miss it? See Checksums: Arch + Manjaro / Debian based - both: video / article).


[ Share with Linux, open source, and crypto fans. ]


WHY INTEGRITY? READ ON.

OR, SKIP DOWN TO START OF "TUTORIAL".

(a refresher on integrity/cryptographic benefits - it's not just for privacy)


🎯 MiTM (Man [or 'manipulator'] In The Middle)

image

🎯 During a man in the middle attack, our attacker sits somewhere in the middle (hence MITM). This could be performed by:

  • a human behind a machine (example)

  • an automated hidden pi zero or other IoT device

  • a device while on public wifi

  • your LAN (home/work WiFi network)

  • higher up the chain inside your ISP network

  • on the network for the download server itself.


Once you install a backdoored Linux image πŸ’Ώ, the rest of security/privacy goes out the window.


Good News: checking fingerprints and being mindful of encryption helps avoid the majority of MITM security problems today. Especially when using shared networks.


TIP: When's the last time you patched vulnerable IoT devices? These can be high risk. Always a good idea to create a separate isolated LAN for these.


🎯 ATTACKED SERVERS (PREVIOUS EXAMPLE)

If you download from a server that is compromised, don't be surprised if the attacker "left a present".(if you have problems with this tutorial or others, leave a comment: your question could help others in the future - and that's the ultimate goal here: help as many people as possible using these public tutorials;

The extras section offers another form of support including custom Linux server images/consulting: for those who want to receive 1 on 1 help/services (helps support this content).)


πŸ—’οΈ TUTORIAL: VERIFYING PGP SIGNATURES πŸ”’ πŸ–ŠοΈ

Use this guide to verify Tails or any other package/image.

The only thing that changes here is the sites you download the key + signature/file from.

Verification remains the same - that's why we use encryption.


STEP #1: INSTALL GPA (GNU PRIVACY ASSISTANT)

FIRST: Install/Open GPA (GNU Privacy Assistant)

Debian Install: apt install gpa -y

Arch/Manjaro Install: pacman -S gpa)

NEXT: Download the provided public key from the developer's official sources (see below example process).

In this example we import RTP's key. This key can be used to verify anything which has been signed by RTP. Ensuring that RTP themselves created the file download (substitute for other source/img).

No one can "spoof" RTP's signature to match: as long as we have downloaded/imported the correct RTP key (containing correct fingerprint).

We go into tips on verification.

Here, we find the PGP / GPG key itself on the Politictech/BMAC Tutorial site at the secure onion link:

image

πŸ§… πŸ” Why Tor Hidden Service Link? Tor hidden services use end to end encryption to thwart MITM attacks, making a more secure way to share PGP / GPG keys.

In this particular case, we are viewing this on a trusted encrypted πŸ“‹πŸ”’ Pastebin site - adding further security - the public key of the hidden service encryption makes up the .onion address.

Additionally, the key itself to the storage encryption for the encrypted πŸ“‹πŸ”’ pastebin post makes up the end remainder of the link.


TIP: Only sign/trust keys after verifying that key carries the correct fingerprint. If you remember nothing else from this article, remember this: fingerprints must match the original/official.


πŸ”‘ NEXT: SAVE PGP KEY

IMPORTANT NOTE: In the example, the key itself is provided by a secure hidden service domain (.onion) we trust.

It's important to further verify the key fingerprint through a 3rd party (keyservers, signed by trusted developers, for a few examples)

image

Next: Copy and paste the entirety of the PGP Public Key Block into a file and save this file as:
'rtp-key' πŸ”‘.


(related: those interested can support the tutorials/videos/scripts work and get something in return: a custom pi Supporter image creating their own automated setup encrypted onion pastebin + Tor Nextcloud, through at the pi privacybox supporter image).

You are certainly FREE / welcome to use the provided public community service encrypted pastebin πŸ§…πŸ” (for any ethical purposes (ie: sensitive credentials / temporary passwords with customers / coworkers) by going Here (in Tor Browser).

It's for the community.


πŸ”‘ IMPORT THE KEY INTO GPA/GPG πŸ”

Open GPA and tap on the Keys menu. Select Import Keys (as shown below)

image

Select the file you just saved the public key into (rtp-key).


MATCH THE FINGERPRINT

Tap on the key you just imported. At the bottom of your window you will see the fingerprint for that exact selected key (see below screenshot). It should match the source website (ideally, verify by multiple sources where possible).

image

Now compare the above fingerprint on our newly imported key against officially known fingerprints for the name of the key owner in question (RightToPrivacy/RTP is the example here).

First comparing to the original source:

image

Still, if a website were compromised, attackers could potentially replace links and keys/fingerprints.

Match across multiple sources (where possible).


In our case the fingerprint provided is seen on the main page, on another server in signatures of emails, and other project sources servers.

This provides us multiple sources of matching fingerprints to the imported key.

If the fingerprints do not match, delete the key (unless one fingerprint is an old/expired key - leave a comment if you have any questions on this! Happy to help answer.)

Other options exist without using multiple sources (such as using the trust/validation of other trusted developers such as the case for Tails: Debian developers have signed the Tails key. This makes it valid once we validate the Debian developers key to do so.


VERIFYING FINGERPRINT MATCHES USING ADDITIONAL SOURCES
(QUICK METHOD)

You can use something like whoogle search engine (anon google) to search directly for the key fingerprint in quotes, further verifying the owner of a key fingerprint for you (commonly discussed/printed in forums, stackoverflow, etc).

Verifying through multiple different sources adds confidence to authenticity.

Another option is searching the public keyservers.

Yet another is trusting known keys (such as Debian developers signatures to verify Tails Linux) to verify a new imported key, to develop a "web of trust".


WHY FINGERPRINTS MATTER

FINGERPRINT EXAMPLE #1: If using SSH on a shared network, read SSH Part I, but when it comes to fingerprints especially secure SSH Part II. Learn how to check SSH fingerprints server-side against those displayed upon connection to avoid a MITM here.


FINGERPRINT EXAMPLE #2: https website cert fingerprints are one way to check for an active MITM (SHA1, SHA256).

During times of online uncertainty, try checking a few of the fingerprint/site examples at the end of this article (article subject: $1bil VPN buyout by a large company who's ownership happened to have a data collection/malware history).

FINGERPRINT EXAMPLE #3: If in the course of our messaging, the public key fingerprint changes on us (without the person changing their key), we may be in the midst of the MITM.

Hoping this helps emphasizes the importance of checking fingerprints.


πŸ”‘ SIGN KEY / ADD TRUST 🀝

Once we are thoroughly confident we have imported the correct key, we can right click on that key to set any trust levels we would like (see below screenshot), and sign the key to validate it ourselves.

image

You may trust this developer and wish to set a more complete trust profile. Or maybe this key is less trusted to take actions for you. The choice is yours.

After setting trust level, sign the key πŸ”‘ (after verifying fingerprint)

Once we have signed the key, we can then use it to validate signatures/images.

image


πŸ“ IMPORT OUR SIGNATURE FILE πŸ’Ύ

  • Download the image or package you wish to verify.

  • Download the signature file into same directory (.sig).


πŸ—„οΈ OPEN FILE MANAGER

NEXT: In GPA, "Open the file manager" πŸ“ (seen in folder icon above red box)-

image


πŸ“ File Manager: Open Signature File 🏷️

Next we can open the signature file itself (inside directory of downloaded file)

This can either be separate from the file/image itself, or, it may be all in one file.

Either way, we open the .sig extension file πŸ’Ύ :

image


Opened Signature:

After opening the .sig file we should see it in the box as displayed below.

image


πŸ”’ πŸ–ŠοΈ VALIDATE SIGNATURE / IMAGE πŸ’Ώ

Next we can click "Check Signatures Of Selected File" πŸ’Ύ and if all is well, you should receive a "VALID" message in return:

image The above shows πŸ’Ώ PineDio gateway image verified. Substitute any package or Linux distribution here (such as Tails OS, Whonix, Qubes, Debian πŸ’Ώ)


Follow this guide for ANY PGP signature verification for a download πŸ’Ώ
(ie: Linux operating system image).

(trusted example used here)

Congratulations! πŸ˜€

You did it. πŸ™Œ


More edits may be made to this later including possible video


πŸ’Ž ** Sharing links to this moves this content higher in algorithm. **

Thanks for Supporting this with 🀲 Shares and other Support options below.


β˜‘οΈ Thanks for being a follower (it's FREE!). Followers get only the most interesting posts by email.


Options are below. Thanks for your Support.

Your safety online matters to me. Ask any questions you might have.


πŸ–‡οΈ LINKS/SERVICES πŸ”

----------------------------------------------------------------------
πŸ§…πŸ” GITEA SERVICE (.onion): Books, Code/Scripts, Wiki, more (make a repository)
πŸ§…πŸ” PASTEBIN (.onion): options- password protect, zk-256bit, "Burn After Reading" + more (use Tor Browser for .onion's)
----------------------------------------------------------------------
πŸ’– πŸ€— SUPPORT πŸ’Ž (If you like to)
πŸ’³ 🎁 EXTRAS: (bonus offers / support). Support here offers something in return - like your own privacybox: encrypted pastebin + Nextcloud Tor Hidden Service Server.
πŸ€‘ πŸ’΅ CASHAPP: $HumanRightsTech
✍ πŸ—’ πŸ’Ž Politictech Membership ❀️ (monthly supporter option + early/extra access)
πŸͺ™ Politictech Main Page: (info + current links/addresses)
----------------------------------------------------------------------
πŸ“² FOLLOW: ⏬
✍ πŸ—’ MASTODON
🐦 TWITTER
πŸ“Ί 🎞 PEERTUBE
πŸ“Ί 🎞 BITCHUTE
πŸ“Ί 🎞 ODYSEE
πŸ“Ί 🎞 YOUTUBE
---------------------------------------------------------------------
βœ‰ CONTACT
-------------------------------------------------------------------------
THANK YOU for Sharing this, Liking, and Subscribing.
-------------------------------------------------------------------------
If you aren't registered for Odysee I'd love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
--------------------------------------------------------------------------

Enjoy this post?

Buy πŸ₯· (RTP) Privacy Tech Tips πŸ“‘ a coffee

2 comments

More from πŸ₯· (RTP) Privacy Tech Tips πŸ“‘