Verify download PGP/GPG keys
-
Folks,
I am trying to find the GPG/PGP keys to verify my download like I do with Debian/Linux; however, I am not finding what I need, which might be due to me being new to the site and service.I did find the following:
https://forum.netgate.com/topic/109558/there-is-no-real-method-of-verifying-download-integrity-we-need-gpg-keys/3However, it is 2 years old. Due to the latter - I need some help from the community. What is Pfsense preferred way to check download authenticity?
-
Which file are you downloading?
I can post the expected sha256 sum taken from our internal staging server if you wish. Though it will be identical to that on the download server AFAIK. At least it gives you something to check against.Steve
-
@stephenw10 said in Verify download PGP/GPG keys:
Which file are you downloading?
I can post the expected sha256 sum taken from our internal staging server if you wish. Though it will be identical to that on the download server AFAIK. At least it gives you something to check against.Steve
Hi Steve - I was under the impression that SHA256 will check the file for errors or corruption; however, I am trying to check the authenticity of the file with signatures, which is not SHA256 method. Are the pgp/gpg keys not published?
Thank you for your help.
-
They are not. But I can give the the expected sha256 sum here for whichever file you are using so you can check the download server has not been compromised (it hasn't) or your connection subverted somehow.
Steve
-
@stephenw10 said in Verify download PGP/GPG keys:
They are not. But I can give the the expected sha256 sum here for whichever file you are using so you can check the download server has not been compromised (it hasn't) or your connection subverted somehow.
Steve
Hi Steve,
Thank you again for the help, and quick response.I found the page: https://files.pfsense.org/hashes/ and if the 'sha' sums are the same - then I do not not want to trouble you and further. I will be testing and working with pfsense tomorrow, and see if it meets the requirements for my intended deployment.
Thank you again.
-
@stephenw10 I have downloaded last iso but checksum isn't the same??
-
The sha256 file is a text file containing the expected checksum.
The checksum of that txt file is not expected to be the same.
Steve
