When installing our favorite Linux distribution, the first thing we do is download the official installation image, an ISO file, from the distribution website or a third party site. Imagine for example that CentOS has just released a new version, and we are eager to give this new version a try by performing a fresh install on one of our machines. So we access the official CentOS website and download the latest ISO image from the download section.
NetEye 4, as you know, is based on CentOS, is also distributed via ISO images and, as in the case of CentOS, NetEye 4 ISO images can be downloaded from the NetEye download site.
Having obtained the ISO image, we can now start to install the OS, right?
Before starting with the installation, however, it’s fundamental that we verify the integrity of the downloaded image to ensure that it is what it claims to be and that nobody has tampered with it. In fact, if there’s a cyberattack, tampered file images may be placed on official websites and then downloaded by unaware end users. Some time ago, Linux Mint’s website was hacked, and a tampered version of the ISO image with a backdoor in it was published. Thankfully, the response in solving the issue was extremely fast, but generally speaking, when things like this happen, there may be severe consequences. The lesson we can learn here is the importance of verifying downloaded ISO images before using them.
Like most of the popular Linux distributions, NetEye also includes signed checksum files that can be downloaded along with the ISO images. These are fundamental files that are used to verify NetEye ISO images.
There are basically two steps in the verification process:
Let’s take a look at the verification process.
Our public GPG key can be downloaded from this very same blog by visiting the download section under NetEye ➝ GPG public key ➝ public-gpg-key. Once you have extracted the key from the archive, you can import it to your keyring:
$ gpg --import public.gpg
Next, check the fingerprint of the imported key:
$ gpg --fingerprint firstname.lastname@example.org
The fingerprint must match the following one (it can be found in the same download section where you found our public key):
pub 4096R/1A0C0C60 2020-09-29 [expires: 2030-09-27] Key fingerprint = E610 174A 971E 5643 BC89 A4C2 B677 7D15 1A0C 0C60
Assuming you already downloaded the NetEye 4.15 ISO image, you must download, from the same website, the file containing the checksums of the ISO files hosted at that specifc page:
This is an armored ASCII file, which can be copied and pasted around to guarantee maximum portability (at the expense of the resulting size of the file) when transmitting keys and signatures. In fact, if you try to open the file, you will see that the file looks identical to a normal text file.
Imagine you want to sign a file that has the following content:
$ cat xmas.txt Merry xmas and happy new year
If you clearsign the file with your private key, what you get is:
$ cat xmas.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Merry xmas and happy new year -----BEGIN PGP SIGNATURE----- Version: GnuPG v x.y.z (GNU/Linux) ... K7+fkHzYjcmbtf5KAMnJP2ieQLwwrMuRN/GsUUmgdLszor67WP5 o4JEdXKnrErFBUeMaNs= =e17S -----END PGP SIGNATURE-----
As you can see, the contents of the file is still visible in its signed form.
Let’s get back to our verification procedure: you have obtained the
sha256sum.txt.asc file, and now you would like to verify it:
gpg --verify sha256sum.txt.asc
The output of the above command is:
gpg: Signature made Tue 29 Sep 2020 03:50:01 PM CEST gpg: using RSA key B6777D151A0C0C60 gpg: Good signature from "Wuerth Phoenix <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E610 174A 971E 5643 BC89 A4C2 B677 7D15 1A0C 0C60
As you can see from the output, the signature looks good, but
There is no indication that the signature belongs to the owner“
This is expected and perfectly normal. If you remember, in one of the previous steps you imported the NetEye 4 public key into your keyring. Even when manually importing a key, there is no proof that the key belongs to its owner, and we didn’t explicitly declare it as trusted. Assuming that you downloaded the key from the NetEye blog, you can trust it.
Let’s put the
neteye4.15-centos.stable.iso and the
sha256sum.txt.asc files in the same folder. We can now verify the ISO file with the following command:
sha256sum -c sha256sum.txt.asc 2>&1 | grep OK
The output will be something like this:
At this point, we can be sure that the ISO file we downloaded is what we expect it to be, NetEye version 4.15, and that the file is not corrupted.
If instead you obtain output that is different from OK, you should first try to download the file again (it may be that the file was corrupted during the download itself). If the error persists, feel free to contact us for help!
In this blog post, we discussed on how to verify the NetEye ISO images to avoid unexpected security problems. Security is a hot topic these days, and it’s fundamental to pursue the highest security standards, as we try to do in our daily work.
Thanks for your attention, I wish you a…
$ cat xmas.txt Merry xmas and happy new year