For if you install Linux, or another operating systems, and neglect to verify the integrity of that image (using checksum and/or PGP signature), you may very well be left questioning the trust of everything on that system thereafter.
(don't make the mistake of skipping these vital steps)
We covered integrity before, utilizing checksum verification. Both individually, and an entire system.
Miss it? See Checksums: Arch + Manjaro / Debian based - both: video / article).
[ Share with Linux, open source, and crypto fans. ]
WHY INTEGRITY? READ ON.
OR, SKIP DOWN TO START OF "TUTORIAL".
(a refresher on integrity/cryptographic benefits - it's not just for privacy)
π― MiTM (Man [or 'manipulator'] In The Middle)
π― During a man in the middle attack, our attacker sits somewhere in the middle (hence MITM). This could be performed by:
a human behind a machine (example)
an automated hidden pi zero or other IoT device
a device while on public wifi
your LAN (home/work WiFi network)
higher up the chain inside your ISP network
on the network for the download server itself.
Once you install a backdoored Linux image πΏ, the rest of security/privacy goes out the window.
Good News: checking fingerprints and being mindful of encryption helps avoid the majority of MITM security problems today. Especially when using shared networks.
TIP: When's the last time you patched vulnerable IoT devices? These can be high risk. Always a good idea to create a separate isolated LAN for these.
π― ATTACKED SERVERS (PREVIOUS EXAMPLE)
If you download from a server that is compromised, don't be surprised if the attacker "left a present".(if you have problems with this tutorial or others, leave a comment: your question could help others in the future - and that's the ultimate goal here: help as many people as possible using these public tutorials;
The extras section offers another form of support including custom Linux server images/consulting: for those who want to receive 1 on 1 help/services (helps support this content).)
ποΈ TUTORIAL: VERIFYING PGP SIGNATURES π ποΈ
Use this guide to verify Tails or any other package/image.
The only thing that changes here is the sites you download the key + signature/file from.
Verification remains the same - that's why we use encryption.
STEP #1: INSTALL GPA (GNU PRIVACY ASSISTANT)
FIRST: Install/Open GPA (GNU Privacy Assistant)
Debian Install: apt install gpa -y
Arch/Manjaro Install: pacman -S gpa)
NEXT: Download the provided public key from the developer's official sources (see below example process).
In this example we import RTP's key. This key can be used to verify anything which has been signed by RTP. Ensuring that RTP themselves created the file download (substitute for other source/img).
No one can "spoof" RTP's signature to match: as long as we have downloaded/imported the correct RTP key (containing correct fingerprint).
We go into tips on verification.
Here, we find the PGP / GPG key itself on the Politictech/BMAC Tutorial site at the secure onion link:
π§ π Why Tor Hidden Service Link? Tor hidden services use end to end encryption to thwart MITM attacks, making a more secure way to share PGP / GPG keys.
In this particular case, we are viewing this on a trusted encrypted ππ Pastebin site - adding further security - the public key of the hidden service encryption makes up the .onion address.
Additionally, the key itself to the storage encryption for the encrypted ππ pastebin post makes up the end remainder of the link.
TIP: Only sign/trust keys after verifying that key carries the correct fingerprint. If you remember nothing else from this article, remember this: fingerprints must match the original/official.
π NEXT: SAVE PGP KEY
IMPORTANT NOTE: In the example, the key itself is provided by a secure hidden service domain (.onion) we trust.
It's important to further verify the key fingerprint through a 3rd party (keyservers, signed by trusted developers, for a few examples)
Next: Copy and paste the entirety of the PGP Public Key Block into a file and save this file as:
'rtp-key' π.
(related: those interested can support the tutorials/videos/scripts work and get something in return: a custom pi Supporter image creating their own automated setup encrypted onion pastebin + Tor Nextcloud, through at the pi privacybox supporter image).
You are certainly FREE / welcome to use the provided public community service encrypted pastebin π§ π (for any ethical purposes (ie: sensitive credentials / temporary passwords with customers / coworkers) by going Here (in Tor Browser).
It's for the community.
π IMPORT THE KEY INTO GPA/GPG π
Open GPA and tap on the Keys menu. Select Import Keys (as shown below)
Select the file you just saved the public key into (rtp-key).
MATCH THE FINGERPRINT
Tap on the key you just imported. At the bottom of your window you will see the fingerprint for that exact selected key (see below screenshot). It should match the source website (ideally, verify by multiple sources where possible).
Now compare the above fingerprint on our newly imported key against officially known fingerprints for the name of the key owner in question (RightToPrivacy/RTP is the example here).
First comparing to the original source:
Still, if a website were compromised, attackers could potentially replace links and keys/fingerprints.
Match across multiple sources (where possible).
In our case the fingerprint provided is seen on the main page, on another server in signatures of emails, and other project sources servers.
This provides us multiple sources of matching fingerprints to the imported key.
If the fingerprints do not match, delete the key (unless one fingerprint is an old/expired key - leave a comment if you have any questions on this! Happy to help answer.)
Other options exist without using multiple sources (such as using the trust/validation of other trusted developers such as the case for Tails: Debian developers have signed the Tails key. This makes it valid once we validate the Debian developers key to do so.
VERIFYING FINGERPRINT MATCHES USING ADDITIONAL SOURCES
(QUICK METHOD)
You can use something like whoogle search engine (anon google) to search directly for the key fingerprint in quotes, further verifying the owner of a key fingerprint for you (commonly discussed/printed in forums, stackoverflow, etc).
Verifying through multiple different sources adds confidence to authenticity.
Another option is searching the public keyservers.
Yet another is trusting known keys (such as Debian developers signatures to verify Tails Linux) to verify a new imported key, to develop a "web of trust".
WHY FINGERPRINTS MATTER
FINGERPRINT EXAMPLE #1: If using SSH on a shared network, read SSH Part I, but when it comes to fingerprints especially secure SSH Part II. Learn how to check SSH fingerprints server-side against those displayed upon connection to avoid a MITM here.
FINGERPRINT EXAMPLE #2: https website cert fingerprints are one way to check for an active MITM (SHA1, SHA256).During times of online uncertainty, try checking a few of the fingerprint/site examples at the end of this article (article subject: $1bil VPN buyout by a large company who's ownership happened to have a data collection/malware history).
FINGERPRINT EXAMPLE #3: If in the course of our messaging, the public key fingerprint changes on us (without the person changing their key), we may be in the midst of the MITM.
Hoping this helps emphasizes the importance of checking fingerprints.
π SIGN KEY / ADD TRUST π€
Once we are thoroughly confident we have imported the correct key, we can right click on that key to set any trust levels we would like (see below screenshot), and sign the key to validate it ourselves.
You may trust this developer and wish to set a more complete trust profile. Or maybe this key is less trusted to take actions for you. The choice is yours.
After setting trust level, sign the key π (after verifying fingerprint)
Once we have signed the key, we can then use it to validate signatures/images.
π IMPORT OUR SIGNATURE FILE πΎ
Download the image or package you wish to verify.
Download the signature file into same directory (.sig).
ποΈ OPEN FILE MANAGER
NEXT: In GPA, "Open the file manager" π (seen in folder icon above red box)-
π File Manager: Open Signature File π·οΈ
Next we can open the signature file itself (inside directory of downloaded file)
This can either be separate from the file/image itself, or, it may be all in one file.
Either way, we open the .sig extension file πΎ :
Opened Signature:
After opening the .sig file we should see it in the box as displayed below.
π ποΈ VALIDATE SIGNATURE / IMAGE πΏ
Next we can click "Check Signatures Of Selected File" πΎ and if all is well, you should receive a "VALID" message in return:
The above shows πΏ PineDio gateway image verified. Substitute any package or Linux distribution here (such as Tails OS, Whonix, Qubes, Debian πΏ)
Follow this guide for ANY PGP signature verification for a download πΏ
(ie: Linux operating system image).
(trusted example used here)
Congratulations! π
You did it. π
More edits may be made to this later including possible video
π ** Sharing links to this moves this content higher in algorithm. **
Thanks for Supporting this with π€² Shares and other Support options below.
βοΈ Thanks for being a follower (it's FREE!). Followers get only the most interesting posts by email.
Options are below. Thanks for your Support.
Your safety online matters to me. Ask any questions you might have.
ποΈ LINKS/SERVICES π
----------------------------------------------------------------------
π§ π GITEA SERVICE (.onion): Books, Code/Scripts, Wiki, more (make a repository)
π§ π PASTEBIN (.onion): options- password protect, zk-256bit, "Burn After Reading" + more (use Tor Browser for .onion's)
----------------------------------------------------------------------
π π€ SUPPORT π (If you like to)
π³ π EXTRAS: (bonus offers / support). Support here offers something in return - like your own privacybox: encrypted pastebin + Nextcloud Tor Hidden Service Server.
π€ π΅ CASHAPP: $HumanRightsTech
β π π Politictech Membership β€οΈ (monthly supporter option + early/extra access)
πͺ Politictech Main Page: (info + current links/addresses)
----------------------------------------------------------------------
π² FOLLOW: β¬
β π MASTODON
π¦ TWITTER
πΊ π PEERTUBE
πΊ π BITCHUTE
πΊ π ODYSEE
πΊ π YOUTUBE
---------------------------------------------------------------------
β CONTACT
-------------------------------------------------------------------------
THANK YOU for Sharing this, Liking, and Subscribing.
-------------------------------------------------------------------------
If you aren't registered for Odysee I'd love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
--------------------------------------------------------------------------