Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 297571

Summary: update handbook to help when gpg verification fails
Product: [OLD] Docs on www.gentoo.org Reporter: Klaas Decanniere <klaas.decanniere>
Component: Installation HandbookAssignee: Docs Team <docs-team>
Status: RESOLVED DUPLICATE    
Severity: normal CC: releng
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Klaas Decanniere 2009-12-19 20:26:24 UTC 
Preparing a new gentoo installation, I decided to go by the book
So: downloaded the current installation cd .iso file  (time stamp 03-Dec-2009 13:29 on http://mirrors.kernel.org/gentoo/releases/amd64/autobuilds/current-iso/)
downloaded the DIGESTS (time stamp 03-Dec-2009 13:29)
downloaded the ASC (time stamp 04-Dec-2009 06:35)

Ditto for the stage3

- MD5 digest works fine
- gpg verification does not work

Following the installation manual:
>gpg --keyserver subkeys.pgp.net --recv-keys 17072058
gpg: requesting key 17072058 from hkp server subkeys.pgp.net
gpg: key 17072058: "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

>gpg --verify  install-amd64-minimal-20091203.iso.DIGESTS.asc install-amd64-minimal-20091203.iso
gpg: not a detached signature

This .ASC file contains the digests as well as a PGP - see below.

Deleting the digests and only keeping the PGP signature part gives:
>gpg --verify  install-amd64-minimal-20091203.iso.asc install-amd64-minimal-20091203.iso
gpg: can't handle text lines longer than 19995 characters                                                      
gpg: Signature made Fri Dec  4 07:35:41 2009 CET using RSA key ID 2D182910                                     
gpg: Can't check signature: No public key

The stage3 file gives similar errors.

Seeing that the RSA key ID is 2D182910, I tried  gpg --keyserver subkeys.pgp.net --recv-keys 2D182910
and then tried gpg --verify again

Now I get 
gpg: can't handle text lines longer than 19995 characters
gpg: Signature made Fri Dec  4 07:35:42 2009 CET using RSA key ID 2D182910
gpg: BAD signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>"



Reproducible: Always

Steps to Reproduce:
1.get december 3 install media
2.get handbook
3.follow handbook



Expected Results:  
Go by the book AND have pgp tell me that everything is fine.

Content of the DIGEST.ASC file:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# MD5 HASH
6e0d14dc41fa00404abcad95c93b5af4  install-amd64-minimal-20091203.iso
# SHA1 HASH
027854f5d212a47f1137d67da74b7dbdbc625dde  install-amd64-minimal-20091203.iso
# MD5 HASH
c79c389f375d4abeed0e7967ea88486d  install-amd64-minimal-20091203.iso.CONTENTS
# SHA1 HASH
d74f3c189fbdc02e4d49d6c9262e822b8c4ea51b  install-amd64-minimal-20091203.iso.CONTENTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBSxitvbtXLg4tGCkQAQLEng//W1UHqwSUP58Gvv5kIxHxtW/P2vWahCLd
hR1wMGmpdVExgHe002qs4Li/ib8nUaHaP4N0BfESPHKPGG/FRbiurZNlHp0KsCAJ
lzR3/rdSP4GovAOtTCVlefgrZOcCQup4FvgoR/e1JCLT23/13A1ALzZdOlkS8t+o
s2/QPRM7QOK2Wf5Cm/4X5QKoMWfsiSAfosMYkGvj6o+B4KiGPFApLf+6Cp6TcekI
ox/A9IwRd657GRWkciQQ0joslcAPdrVzreoFTj7e/f5OXLWKBWBIE+FK9Mg6mn8W
zLB4i+gLjMWUVAFknfQlr18tSF5/hAQG2iKJCnjkaaToDFunUEbTVNr/5PuU4gHy
wkm+/51NelLMgOYY5J2J8Iui4FqSVTTyWPGLwYqM539cPAFcWvBsdNouZKvhi1mG
RFkNviDONRjd4iKJ8JVT+7JkrleNLzNwffndwDmE76CK/svG+kkYJSLpoIl7jrcA
HI2r/b9qoR7yxXfa9/WdGgu7fjb1ux9yjdjbpKGl56dE+wcK4qoytvoQkX/cFHhC
gIw4+hecOJBzea7P2tB2obhpHpV8y7jHZv+ZGbYqN2pd+Usl0kTkx+YGq0q1wVvX
Pvm9R93e46XaFrLo3hIlQDxpGxaCX8sAHn6O2GjubDZN+wBi50Rps5E5rm05/fuE
0aK/ffwIasE=
=0Apo
-----END PGP SIGNATURE-----
Comment 1 nm (RETIRED) gentoo-dev 2009-12-20 04:11:43 UTC 
Not a documentation problem. Possibly you just downloaded a bad image (or an improperly hashed image), or your 'net connection corrupted it. Try a newer stage.

Reassigning to the folks who can do something about the media; it's not a handbook issue.
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2009-12-20 07:12:15 UTC 
The verification procedure is described at <http://www.gentoo.org/proj/en/releng/index.xml#doc_chap5>.

The handbook describes the installation of media "located in the releases/$arch/autobuilds/current-iso/ directory". Then the listed gpg key is wrong (see the table at link above for which key is used for each release).
Comment 3 Klaas Decanniere 2009-12-20 08:54:01 UTC 
(In reply to comment #1)
> Not a documentation problem. Possibly you just downloaded a bad image (or an
> improperly hashed image), or your 'net connection corrupted it. Try a newer
> stage.
> 
> Reassigning to the folks who can do something about the media; it's not a
> handbook issue.
> 

Well. The handbook assumes the verification is correct. Maybe there should be an indication "when verification goes wrong"?
Comment 4 Klaas Decanniere 2009-12-20 09:06:45 UTC 
> 
> The handbook describes the installation of media "located in the
> releases/$arch/autobuilds/current-iso/ directory". Then the listed gpg key is
> wrong (see the table at link above for which key is used for each release).
> 
Proposed changes to the handbook:
starting from:

Code Listing 3.1: Obtaining the public key

$ gpg --keyserver subkeys.pgp.net --recv-keys 17072058

add to doc:

> The public key changes from time to time. Please verify 
> <http://www.gentoo.org/proj/en/releng/index.xml#doc_chap5>
> for the latest key.

> Now verify the signature and the checksum:
> Code Listing 3.2: Verify the cryptographic signature
> $ gpg --verify <foo.DIGESTS.asc>
> $ sha1sum -c <foo.DIGESTS.asc>
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-05-18 21:36:17 UTC 
I guess there is nothing for infra to do here.
Comment 6 nm (RETIRED) gentoo-dev 2010-05-24 21:07:42 UTC 

*** This bug has been marked as a duplicate of bug 283402 ***