The torrent file offers a selection of webseeds, so the attack is not very effective against users with webseed-capable clients. Why did the attacker spent money on producing at least two different versions of the same ISO if one would be enough? Do we?īy pure coincidence a day earlier I was downloading that ISO through torrent perhaps a dozen times. No one spends such amount of money to attack a random account2, so we should be observing a widespread, ongoing attack. That implies spending at least 120k€ on the attack. I would rather believe that malware is already on account2’s computer and is modifying ISOs, if I have to assume foul play. Unless an actual report about the attack can be produced. I doubt that and find a kernel or hardware issue a more plauible explanation. Maybe qBittorrent is corrupting the downloads? Or maybe hardware issue? : o Gpg: There is no indication that the signature belongs to the owner. Gpg: WARNING: This key is not certified with a trusted signature! Gpg: Good signature from "Pierre Schmitz " => ERROR: The signature identified by archlinux-2020.07.01-x86_64.iso.sig could not be verified. Gpg: BAD signature from "Pierre Schmitz " $ gpg -keyserver-options auto-key-retrieve -verify archlinux-2020.07.01-x86_64.iso.sig Gpg: There is no indication that the signature belongs to the owner.SHA1: 8bcd9ef5d7bd22a5e1de671905abaf07ca8cd7f5 Gpg: Good signature from "Internet Systems Consortium, Inc. GOODSIG 17CC5DB1F0088407 Internet Systems Consortium, Inc. SIG_ID 5bVFGMOyueMB8QxRvTmJGgJfCxI 1608121266 Gpg: Signature made Wed Dec 16 12:21:06 2020 UTC I can import this public key into my keyring now: In the case of ISC they have a helpful document which does both and gives you instructions too, so I know the above key is valid. If the website gives a the key ID or a key you can download, stick with that. This purports to be from someone with an email address so is probably genuine, but there’s no guarantee. Sometimes you can get the public key from the website where you downloaded the file but if that’s not the case what you need to do is note the RSA key in the output above and go search for it on a public keyserver such as. This errors as you can see because I don’t have the public key of the signer in my keyring. asc file, the second is the file whose signature I want to verify against the one in the. I run the gpg command with the -verify switch. Gpg : Can' t check signature : No public key
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |