Hi can I verify iso download with gpg, if so how ?
To check the downloaded iso file for correctness, you do not need gpg, you need to calculate the hash using the sha256 algorithm. IPFire project shows the correct hash of the file next to the link to the iso file to download. What you need to do is download the iso, open a terminal, use the right program (normally sha256sum) to calculate the hash of the iso and compare it with the one released by the project. In my case, because I am on MacOS I need to use shasum -a 256 to do the same.
For example, In one line this script checks the hash of the last iso, compares it with the one released by the project and prints in a conditional statement a message clarifying if the two are identical or not.
[ "$(shasum -a 256 ipfire-2.27-core174-x86_64.iso | awk '{print $1}')" == "d5291ae8f6b2eed220309a645e417bff59364f52f2596f4b61b5c39fcb2419c7" ] && echo "File is verified" || echo "File is NOT verified"
which translate to:
File is verified
This procedure verify the correctness of the file.
In terms of signing the release to prove that it is coming from the developers (in case their site is compromised), I confess I am not aware of the public signing key for IPFire. I should look back at the wiki.
Anyhow, I think the single packages downloaded by pakfire are signed and the program checks automatically for their validity.
2 Likes