Verify download PGP/GPG keys

gradius85

Folks,
I am trying to find the GPG/PGP keys to verify my download like I do with Debian/Linux; however, I am not finding what I need, which might be due to me being new to the site and service.

I did find the following:
https://forum.netgate.com/topic/109558/there-is-no-real-method-of-verifying-download-integrity-we-need-gpg-keys/3

However, it is 2 years old. Due to the latter - I need some help from the community. What is Pfsense preferred way to check download authenticity?

stephenw10

Which file are you downloading?
I can post the expected sha256 sum taken from our internal staging server if you wish. Though it will be identical to that on the download server AFAIK. At least it gives you something to check against.

Steve

gradius85

@stephenw10 said in Verify download PGP/GPG keys:

Which file are you downloading?
I can post the expected sha256 sum taken from our internal staging server if you wish. Though it will be identical to that on the download server AFAIK. At least it gives you something to check against.

Steve

Hi Steve - I was under the impression that SHA256 will check the file for errors or corruption; however, I am trying to check the authenticity of the file with signatures, which is not SHA256 method. Are the pgp/gpg keys not published?

Thank you for your help.

stephenw10

They are not. But I can give the the expected sha256 sum here for whichever file you are using so you can check the download server has not been compromised (it hasn't) or your connection subverted somehow.

Steve

gradius85

@stephenw10 said in Verify download PGP/GPG keys:

They are not. But I can give the the expected sha256 sum here for whichever file you are using so you can check the download server has not been compromised (it hasn't) or your connection subverted somehow.

Steve

Hi Steve,
Thank you again for the help, and quick response.

I found the page: https://files.pfsense.org/hashes/ and if the 'sha' sums are the same - then I do not not want to trouble you and further. I will be testing and working with pfsense tomorrow, and see if it meets the requirements for my intended deployment.

Thank you again.

nandocicero

@stephenw10 I have downloaded last iso but checksum isn't the same??

stephenw10

The sha256 file is a text file containing the expected checksum.

The checksum of that txt file is not expected to be the same.

Steve