Authenticate/Verify download


(Jacob) #1

Hello, first post. I’m making an effort to self-study how to use Linux and want to test drive Parrot. I’m a Windows native, so verification and integrity checking are things that I’m clumsily learning, but trying to do my due diligence so I understand how it works. That out of the way, this is where I’m hitting a bump.

I downloaded the current version, know how to use Etchr, and downloaded the signed hashes. In my limited experience I can bumble around GPG4Win and Kleopatra and I think I have an okay overview of the verification chain, but the hashes and keys on the downloads page are all clumped in one file, and this has me scratching my head. I wanted to do all of the verification in a Linux environment but I’d have to piecemeal all the terminal commands together like a puzzle and figured I could just do it via GPG4Win so I could get started.

So:

  1. I think I figured out how to import the keys (by copy/pasting the keys part of the file and creating a .gpg file), but I want to also take it a step further and certify it’s authenticity. Can someone verify the key certificate fingerprint so I know I got the right result?

  2. I’m going to experiment with the rest of the file to see if I can run hash checks, but while I do that, can someone let me know the best practice for handling a lump credential file in the future? Or if I’m doing what I should be doing?

  3. Based on my long exposition, does it look like I’m missing any important steps?

I apologize for the long first post, I’m trying to learn the process and the software by jumping in head first. Once I’ve verified everything I’d like to setup a dual/multiboot install so I can switch between different Linux versions and bumble around that, too, so let me know if I’m making any dumb mistakes. (I thought about installing VirtualBox on a Linux install and testing different OSes, but figured I may as well learn how to manage a dualboot environment while I’m clunking around)

Thanks for taking the time to wade through that wall of text!


What version of Parrot are you running? (include version, edition, and architecture)
– Parrot Security 4.4 64bit

What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)
– N/A

Configured to multiboot with other systems? (yes / no)
– Yes, I intend to.

If there are any similar issues or solutions, link to them below:
– Not that I’ve seen yet.

If there are any error messages or relevant logs, post them below:
– Nope.


(Nico Paul) #2

you are a pretty solid instructor so give yourself some reward there, its hard af to just jump in but it will get the best results if you shut the window(s) for a few weeks (that was my strategy) it helped me remember my commands and forced me to learn why to do things and to just read what the machine is saying haha its different from the “close the error box quickly and itll juts go away” windows techniques… ItsFOSS is an awesome awesome resource thats written to be usable by newer to linux folk and this is your doublecheck guide link (with a whole lotta other links to questions you probably have) https://itsfoss.com/checksum-tools-guide-linux/ and good idea skipping the vm, just extra troubleshooting steps IMO. oh, and thanks for being another book writer around here cause now i dont feel so bad haha


(Jacob) #3

Trust me, I’ve written some books lol

Yeah thanks, I can’t say this is the best way for me to learn but I’m going to try to get my head wrapped around the basics, I like trying to learn everything at once as much as that never works.

My overall goal is to learn better practices and methods, which is why I’m forcing myself to make sure I’m verifying and certifying things correctly.


(Matt) #4

On checking the file hashes.

You can generate hashes of files quite easily. Parrot provides multiple hashsum commands to do this.

md5sum <file> Will output a hash that will (assuming it downloaded correctly) match the one inside singed-hashes.txt.

You can also check the other hashes using sha1sum, sha224sum, sha256sum, ect… ect…

You could put the hashes you are comparing in two files, and compare them using cmp. But if the hashes dont match it will be obvious anyway.


(Jacob) #5

Well, I’m sure people who are more cmd/PowerShell/terminal savvy probably know the trick, but what I did in the end was

  1. Save the signed hashes as a .txt
  2. Copy/Paste the keys to they’re own .txt, save them as .gpg and import them (I eventually certified them in Kleopatra for my system, so now I’m more familiar with how that works)
  3. Run Windows cmd certutil to get the filehash for the ISO download and compared it to the hashes in the text file

It’s kind of a clumsy way to do it but everything more or less appeared correct. Admittedly I’m not sure how to handle the signed PGP attribute, what I did while tinkering around was I used GpgEX to Decrypt and Verify the original .txt file and it successfully displayed the certificate results which I decided I had probably verified everything. But what this means though is that I’m going to need to do some heavy reading about cryptosigning so I can figure out how it all works in a Linux environment.


(Matt) #6

I have no idea what you have done there, but if it worked then so be it.

The PGP signature is so that you can verify the document was provided by Palinuro. Reading this might help: http://ask-leo.com/what_does_begin_pgp_signed_message_mean.html


(Jacob) #7

Oh yeah, I’ve seen some Ask Leo articles before, he did good stuff. I wonder if he’s still writing.

I’ll check this out, thanks for the link.