FreeNAS public key - .iso verification

[bar17]

Hello everyone,

Per the manual I navigated to https://download.freenas.org/11.2/STABLE/latest/ and downloaded 11.2-U6. I performed the sha256 of the file and verified the hash.

I noticed the FreeNAS-11.2-U6.iso.gpg file but cannot find a FreeNAS public signing key to verify the hash.

How do I know there is not someone mischievous planting 11.2-U6 iso's with backdoor's and their updated .sha256 file?

Can someone please point me to the latest release public signing key?

 

[droeders]

I searched for truenas on this public key server and got a couple of hits:

PGP Public Key Server

pgp.key-server.io

I don't know if either of these are used for the signing or if it's some other key.

 

[dlavigne]

It is on the download page: https://www.freenas.org/download-freenas-release/.

 

[bar17]

It is on the download page: https://www.freenas.org/download-freenas-release/.

Thank you very much. Ideally the manual would link their as well.

I am now getting a "bad signature". Can someone else please verify?

I'm using key ID: 12CF7946 found @ https://sks-keyservers.net/pks/lookup?op=vindex&search=0xC8D62DEF767C1DB0DFF4E6EC358EAA9112CF7946

Both of the below files are found from the above link.
The key itself is here: https://sks-keyservers.net/pks/lookup?op=get&search=0x358EAA9112CF7946
I'm trying to verify this gpg file: http://download.freenas.org/11.2/STABLE/U6/FreeNAS-11.2-U6.iso.gpg

Do you get a valid signature? I would be very surprised if there was a problem...

 

[Vaclav]

Hi Bar17, yes I'm able to get a valid signature.

Here are my steps on a command line on a machine without a previous setup.

Now you have to import the public key.

And run the verification again.

Now the signature is verified as good, but it is not trusted.
And now this is up to you to go online and check the key. You should be able to find a key created on October 15th and signed by several people from iXsystems. If that is good enough for you and you don't see anything suspicious you can go ahead and set the trust level for the key.

Now you can run the verification again.

Or if you prefer GUI and use an operating system compatible with Kleopatra, you can verify the signature using Kleopatra. (You will still need to import and trust the key).

 

[dlavigne]

Ticket request to add to Guide: https://jira.ixsystems.com/browse/DOCS-70.

 

[bar17]

Hi Bar17, yes I'm able to get a valid signature.

Here are my steps on a command line on a machine without a previous setup.

...

Or if you prefer GUI and use an operating system compatible with Kleopatra, you can verify the signature using Kleopatra. (You will still need to import and trust the key).
View attachment 33893

Thank you for the thorough response. I have used GPA on Windows for a while to validate signatures without problem.

I am not sure why it his giving me a bad signature. I did check the SHA256, and it matches, so it is not a corrupted file.

I downloaded the latest version of Gpg4win and using same GPA/GnuPG the signature checked out just fine. Which makes me think my software is working...

I have never used Kleopatra as I didn't see the need for the additional functionality. It seems more for enterprise situations when certificates are issued.

However, I did go ahead and install it, and it does verify the file.

Do you have any idea as to why GPA might be giving a bad signature when Kleopatra is giving a good signature?

I can rationalize that this is sufficient to prove validity of the file, however it is troublesome that what I have done in the past is no longer working, and that doing what I have done in the past still works with other signatures from other software projects.