I have a question regarding GPG Keys

**sozo** · 2014-05-31

Hi , I have read this post https://forums.kali.org/showthread.p...SHA1SUMS-issue and I followed the same steps (for kali 1.0.7) and Got the same results

Well I downloaded the .iso from the torrent file of kali's website(http://cdimage.kali.org/kali-1.0.7/k...-amd64.torrent) ,then I downloaded the Both files (SHA1SUMS and SHA1SUMS.gpg) from this urls:
http://cdimage.kali.org/kali-1.0.7/SHA1SUMS
http://cdimage.kali.org/kali-1.0.7/SHA1SUMS.gpg

Well my questions are :
after I executed this command:
gpg --verify SHA1SUMS.gpg SHA1SUMS
I got the message:

Code:

gpg: Firmado el mar 27 may 2014 08:39:38 BOT usando clave RSA ID 7D8D0BF6
gpg: Firma correcta de "Kali Linux Repository <[email protected]>"
gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza!
gpg:           No hay indicios de que la firma pertenezca al propietario.
Huellas dactilares de la clave primaria: 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6

(well my laptop is set up in spanish language)

Well my questions is ,how this guarante me the iso file has not been modified for someelse? if I am verifying only the files SHA1SUMS and SHA1SUMS.gpg that I downloaded from the kali's website,so what is the relationship with the .iso image?

PLease help me I dont understand this

Thanks

**pplsec** · 2015-01-28

Originally Posted by sozo

Hi , I have read this post https://forums.kali.org/showthread.p...SHA1SUMS-issue and I followed the same steps (for kali 1.0.7) and Got the same results

Well I downloaded the .iso from the torrent file of kali's website(http://cdimage.kali.org/kali-1.0.7/k...-amd64.torrent) ,then I downloaded the Both files (SHA1SUMS and SHA1SUMS.gpg) from this urls:
http://cdimage.kali.org/kali-1.0.7/SHA1SUMS
http://cdimage.kali.org/kali-1.0.7/SHA1SUMS.gpg

Well my questions are :
after I executed this command:
gpg --verify SHA1SUMS.gpg SHA1SUMS
I got the message:

Code:

gpg: Firmado el mar 27 may 2014 08:39:38 BOT usando clave RSA ID 7D8D0BF6
gpg: Firma correcta de "Kali Linux Repository <[email protected]>"
gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza!
gpg:           No hay indicios de que la firma pertenezca al propietario.
Huellas dactilares de la clave primaria: 44C6 513A 8E4F B3D3 0875  F758 ED44 4FF0 7D8D 0BF6

(well my laptop is set up in spanish language)

Well my questions is ,how this guarante me the iso file has not been modified for someelse? if I am verifying only the files SHA1SUMS and SHA1SUMS.gpg that I downloaded from the kali's website,so what is the relationship with the .iso image?

PLease help me I dont understand this

Thanks

You verify the sha1sum of the iso then you verify the sha1sum is the authentic by running this commands
cat SHA1SUM
sha1sum ( the name of the iso ) verify that the hash is the same
then run - gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6 then
gpg --verify SHA1SUMS.gpg SHA1SUMS
you'll get a out put like this

gpg: Signature made Thu 02 Oct 2014 09:26:04 AM EDT using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6

the 3rd line appears because you haven't got the public key from the signer but we now that it is the signer by matching the fingerprint to the one on kali's site if you wanted to you can email the key owner and get the public key from him and import it in by emailing him at [email protected] but it's always better to get keys in person....

P.S I would recommend learning more about gpg by googling it.

Hope this helps

Thread: I have a question regarding GPG Keys

Thread Tools

Search Thread

Display

I have a question regarding GPG Keys

gpg

Similar Threads

how to fix deprecated apt-keys

The special keys don't work

SSHv1 keys

Posting Permissions