diff --git a/verify.txt b/verify.txt index 0d730c8..7264224 100644 --- a/verify.txt +++ b/verify.txt @@ -20,8 +20,9 @@ Download the OVA and the ASC into the same directory. On the command line verify the PGP signature first, example: $ gpg --verify MISP_v2.4.107@latest.ova.asc MISP_v2.4.107@latest.ova - -TODO: Include output. +gpg: Signature made Wed 15 May 2019 07:04:42 PM JST +gpg: using RSA key EDEC891834F20B13 +gpg: Good signature from "CIRCL MISP (CIRCL MISP VM Release Key) " [ultimate] 3. Download SFV files @@ -29,14 +30,38 @@ Now download the checksum file and its signature, and verify. $ wget https://www.circl.lu/misp-images/MISP_v2.4.107@latest-CHECKSUM.sfv $ wget https://www.circl.lu/misp-images/MISP_v2.4.107@latest-CHECKSUM.sfv.asc -$ gpg --verify /MISP_v2.4.107@latest-CHECKSUM.sfv.asc MISP_v2.4.107@latest-CHECKSUM.sfv +$ gpg --verify MISP_v2.4.107@latest-CHECKSUM.sfv.asc MISP_v2.4.107@latest-CHECKSUM.sfv +gpg: Signature made Wed 15 May 2019 07:15:10 PM JST +gpg: using RSA key EDEC891834F20B13 +gpg: BAD signature from "CIRCL MISP (CIRCL MISP VM Release Key) " [ultimate] + +If you get a BAD signature, please download again. Next, use rhash or go with the manual way. rhash ----- -$ rhash -c MISP_v2.4.107@latest-CHECKSUM.sfv +$ cat MISP_v2.4.107@latest-CHECKSUM.sfv |sed 's/@\(.*\)-/@latest-/g' |sed 's/@\(.*\).ova/@latest.ova/g' |rhash -c -v --percents - + +--( Verifying MISP_v2.4.107@latest-CHECKSUM.sfv )------------------------------- +MISP_v2.4.107@latest-VMware.zip OK +MISP_v2.4.107@latest.ova OK +-------------------------------------------------------------------------------- +Everything OK + +Manual (not recommended) +------------------------ + +Take any file you want to verify, with sha1-sum for example. + +$ shasum MISP_v2.4.107@8a51109.nvram | cut -f 1 -d\ |grep -o -i -f - MISP_@8a51109.sfv +D3A2EBF751E31C6972F89DEC4F57D69C4681A142 + +If you get back a shasum, it worked, the file is safe and sound. + +Now you could do this, for all files, for all the checksums (sha1/256/384/512) OR just use rhash. + Verify VMware ------------- @@ -50,7 +75,46 @@ Download the ZIP and the ASC into the same directory. On the command line verify the PGP signature first, example: $ gpg --verify MISP_v2.4.107@latest-VMware.zip.asc MISP_v2.4.107@latest-VMware.zip +gpg: Signature made Wed 15 May 2019 07:04:42 PM JST +gpg: using RSA key EDEC891834F20B13 +gpg: Good signature from "CIRCL MISP (CIRCL MISP VM Release Key) " [ultimate] -TODO: Include output. +Do step number 3 from above. -Do steps number 3 from above. +$ unzip MISP_v2.4.107@latest-VMware.zip +Archive: MISP_v2.4.107@latest-VMware.zip + inflating: VMware/disk-s001.vmdk + inflating: VMware/disk-s002.vmdk + inflating: VMware/disk-s003.vmdk + inflating: VMware/disk-s004.vmdk + inflating: VMware/disk-s005.vmdk + inflating: VMware/disk-s006.vmdk + inflating: VMware/disk-s007.vmdk + inflating: VMware/disk.vmdk + inflating: VMware/MISP_v2.4@8a51109.sfv + inflating: VMware/MISP_v2.4.107@8a51109.nvram + extracting: VMware/MISP_v2.4.107@8a51109.vmsd + inflating: VMware/MISP_v2.4.107@8a51109.vmx + inflating: VMware/MISP_v2.4.107@8a51109.vmxf +$ cd VMware +$ rhash -c -v --percents MISP_v2.4@8a51109.sfv +Config file: /etc/rhashrc + +--( Verifying MISP_v2.4@8a51109.sfv )----------------------------------------------- +disk-s001.vmdk OK +disk-s002.vmdk OK +disk-s003.vmdk OK +disk-s004.vmdk OK +disk-s005.vmdk OK +disk-s006.vmdk OK +disk-s007.vmdk OK +disk.vmdk OK +MISP_v2.4.107@8a51109.nvram OK +MISP_v2.4.107@8a51109.vmsd OK +MISP_v2.4.107@8a51109.vmx OK +MISP_v2.4.107@8a51109.vmxf OK +-------------------------------------------------------------------------------- +Everything OK + + +You can be more or less confident that verything is fine.