How-to: Check signed UCS ISO hash

Knowledge Base Supported
,
#1

To verify the integrity of the UCS ISO files they are accompanied by additional hash and signature files:

  • The hash files assert that the ISO file is unmodified and no download error occurred. They are available with different algorithms like sha512, sha256 and md5.
  • The signature files assert that the hash files are authentic. PGP is used to create and verify these cryptographic signatures.

Together these files allow you to detect manipulations. The following steps use the SHA512 hash and the UCS 5.0-1 ISO image as the example.

1. Import the public key

The hashes are currently signed by the Univention Corporate Server 5.x key. The public key can be found on the Univention download server at https://updates.software-univention.de/univention-archive-key-ucs-5x.gpg or on any UCS system since UCS 4.4-4 erratum 605 in /usr/share/keyrings/univention-archive-key-ucs-5x.gpg.

Import the key into your local GnuPG installation:

wget https://updates.software-univention.de/univention-archive-key-ucs-5x.gpg
gpg --import "univention-archive-key-ucs-5x.gpg"

Verify that the fingerprint of the imported key by running the following command:

gpg --fingerprint "D293E501A055F562"

This should have the following output:

pub   rsa4096/0xD293E501A055F562 2020-05-08 [SC] [expires: 2027-05-07]
      Key fingerprint = 8321 745B B32A 82C7 5BBD  4BC2 D293 E501 A055 F562
uid                   [ unknown] Univention Corporate Server 5.x <packages@univention.de>

2. Check the signed checksum

Download the following matching files to the same directory:

  1. The ISO image UCS_5.0-1-amd64.iso
  2. The checksum file UCS_5.0-1-amd64.iso.sha512 (or ….sha256 or ….md5)
  3. The signature file UCS_5.0-1-amd64.iso.sha512.gpg (or …sha256.gpg or ….md5.gpg)
wget https://updates.software-univention.de/download/ucs-cds/ucs5.0-1/UCS_5.0-1-amd64.iso
wget https://updates.software-univention.de/download/ucs-cds/ucs5.0-1/UCS_5.0-1-amd64.iso.sha512
wget https://updates.software-univention.de/download/ucs-cds/ucs5.0-1/UCS_5.0-1-amd64.iso.sha512.gpg

2.1. Verify the integrity of the checksum file

Assert that the signature matches the checksum file:

gpg --trust-model direct --verify UCS_5.0-1-amd64.iso.sha512.gpg UCS_5.0-1-amd64.iso.sha512

This should have the following output:

gpg: Signature made Tue Dec 14 15:26:46 2021 CET
gpg:                using RSA key 0xD293E501A055F562
gpg: Good signature from "Univention Corporate Server 5.x <packages@univention.de>" [full]
Primary key fingerprint: 8321 745B B32A 82C7 5BBD  4BC2 D293 E501 A055 F562

2.2. Verify the integrity of the ISO file

Assert that the checksum file matched the ISO file:

sha512sum -c UCS_5.0-1-amd64.iso.sha512

This should print a single line:

UCS_5.0-1-amd64.iso: OK
#2

This topic was automatically closed after 23 hours. New replies are no longer allowed.

Mastodon