Arch Linux

7739 readers

1 users here now

The beloved lightweight distro

founded 4 years ago

MODERATORS

k_o_t@lemmy.ml

ISO verification (lemmy.world)

submitted 5 months ago by bitahcold@lemmy.world to c/archlinux@lemmy.ml

12 comments fedilink hide all child comments

Hello guys, I'm using Arch as a newbie. Learning about it. But worried about a thing. When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up. Just used the iso I didn't verificated. I am using the OS that iso installed. There is nothing wrong with usage. I can access all the things about Arch, not had any problems and any performance issues. No special internet usage, no broken things etc. but I'm a bit worried about is there any malicious software such as keyloggers, mining softwares... Can I verify my Arch after the installation? Can I see if there is any software malicious via htop-bpytop? Should I create the bootable media again with verification and reinstall my Arch?

top 12 comments

sorted by: hot top controversial new old

[–] lemmyreader@lemmy.ml 7 points 5 months ago (1 children)

When I was creating the bootable media for install it, I downloaded the .iso and .iso.sig from any mirror that is near. I followed the things about verification of .iso but I got some errors and gave up.

There's two different things. The checksum and the GnuPG signature. If you used the GnuPG method to check the signature I can imagine you got a warning because of the GnuPG key owner trust and that's actually expected behavior and should not worry you. Normally when you exchange GnuPG keys with a person in real life, you can compare key fingerprints and after that you would set the owner trust yourself for their key, but with downloaded iso images this is a different use case though if you really want you can set the owner trust to make the warning go away.

[–] bitahcold@lemmy.world 1 points 5 months ago* (last edited 5 months ago) (1 children)

Oh, I didn't know that. I just downloaded iso and iso.sig then used gpg commands. The thing I'm worried about is, maliciousy chance of the iso. I probably used German or French mirror to download the iso. Then, failed the verification. I am using unverificated iso's Arch Linux now. Can I know if I had any tracker, keylogger or mining software etc. ? Usage is normal and smooth as how it have to be. But idk.. Just worried. I still have the same bootable USB that the iso was extracted into. I have a FreeDOS unnecessary PC. Can I verificate the bootable by executing any verification command while I'm at the installation process? Or, can I verify or check my operating system's originality at post-installation era of my main PC? Thanks for comment.

[–] lemmyreader@lemmy.ml 1 points 5 months ago (2 children)

Oh, I didn’t know that. I just downloaded iso and iso.sig then used gpg commands. The thing I’m worried about is, maliciousy chance of the iso. I probably used German or French mirror to download the iso. Then, failed the verification.

Suggesting the following for the archlinux-2024.05.01-x86_64.iso :

Put your downloaded iso file and the sig file in ~/Downloads/ if you haven't done so.
From your Arch Linux installation install the Sequoia sq tool : sudo pacman -S sequoia-sq
Continue with the following commands : cd ~/Downloads
sq network wkd fetch pierre@archlinux.org -o release-key.pgp
sq verify --signer-file release-key.pgp --detached archlinux-2024.05.01-x86_64.iso.sig archlinux-2024.05.01-x86_64.iso

This should unlike with the GnuPG method give no warnings or errors.

[–] CameronDev@programming.dev 2 points 5 months ago

Using a theoretically backdoored OS to verify anything is pointless.

The backdoored OS can just bypass the checks.

https://wiki.c2.com/?TheKenThompsonHack

[–] bitahcold@lemmy.world 1 points 5 months ago* (last edited 5 months ago) (1 children)

So sorry for labor. There is a lacking information by me. I created the bootable at my previous OS, so there is no same .iso file. Only extracted version on my USB and installed version that is running on my PC. Can I see the mirror source from the extracted version?

[–] lemmyreader@lemmy.ml 1 points 5 months ago (1 children)

Like the other commenter said you are probably fine. If you still worry, backup your /home and go for a fresh install and restore /home.

[–] bitahcold@lemmy.world 1 points 5 months ago

Better guarantee it haha. I did nothing except using unnecessary documents and surfing on the net. And maybe some games. I used archinstall for it but now, I will set it up customized and nonscript. Maybe fresh restart would be better. Thanks for the help again. Goodbye!

[–] BaalInvoker 5 points 5 months ago (2 children)

Just verify the iso you downloaded. If the signature is correct, the iso is safe.

You can simply $ sha256sum the iso file and verify.

But honestly, you're probably safe. I wouldn't be worried in your place.

[–] CameronDev@programming.dev 1 points 5 months ago

The sha256 only validates file integrity, it doesnt ensure legitimacy. A malicious actor would replace both the iso and the checksum at the same time.

Only the signature ensures legitimacy, but properly setting up the chain of trust is near impossible anyway without meeting face-to-face with the iso signer.

[–] bitahcold@lemmy.world 1 points 5 months ago

I did download and set the bootable at my previous OS, Fedora. Now the iso is not reachable and I forgot the mirror that I downloaded from. I still have the usb card I used for installation. Can I do any verification over it? Thanks for reply and relaxing info.

[–] blackstrat@lemmy.fwgx.uk 1 points 5 months ago (1 children)

Should you trust something that failed verification? No. That's the whole point. It's not what you think it is.

[–] bitahcold@lemmy.world 0 points 5 months ago

I mean fail as error. Like, I did something wrong at commands. I haven't verificated the iso about its valid or not. That's the thing I'm worried about. I asked can I verify with other ways without the iso. But I decided to do clean re-install. Thanks for comment. Goodbye.