What do i put in the `/path/to/iso`

Skatoskatosimos · December 30, 2023, 2:25pm

I want to re verify my installation drive that it was done correctly but i did not understand how to put the iso in this /path/to/iso. Do i have to download another iso redo the verification with gpg and then put that in there?
$ dd if=/dev/sdX bs=1M count=$(stat -c %s /path/to/iso) iflag=count_bytes | sha256sum

fsflover · December 30, 2023, 2:27pm

You have to put there the path to your existing downloaded .iso file in the filesystem. In other words, you need to tell the system where your actual .iso is located.

Skatoskatosimos · December 30, 2023, 2:43pm

In the usb drive?

fsflover · December 30, 2023, 2:46pm

No, the USB stick on which you wrote the installer with the dd command is what you want to verify by comparing with the original .iso file. Did you delete the latter after writing?

Skatoskatosimos · December 30, 2023, 2:49pm

No i did not, correct me if i am wrong but qubes says to do it on another machine should i just install the iso and do the verification again with the write protection on. Or do it on both?

fsflover · December 30, 2023, 2:54pm

You are right: if it’s a different machine, you should redownload the .iso. Checking on tbe same machine is also useful.

Skatoskatosimos · December 30, 2023, 2:56pm

Would the hash be different if i use rufus to flash the iso and then use dd to check because i only have two machines one windows one qubes.

fsflover · December 30, 2023, 7:21pm

I don’t expect it to be different unless Rufus modifies the image (and that would be suspicious).

adw · December 30, 2023, 10:33pm

No, that’s not correct. You should not re-download the ISO. In fact, the documentation specifically walks through performing the re-verification on a different machine where the ISO is intentionally absent, which sounds like exactly what @Skatoskatosimos is trying to do:

[…]
Now, reading the number of bytes directly from the ISO is fine, but you may be concerned that a sufficiently sophisticated adversary may have compromised the machine on which you’re performing this re-verification and may therefore be capable of feeding you a false success result. After all, if your adversary knows the answer you’re looking for — namely, a match to the genuine ISO — and has access to that very ISO in the same re-verification environment, then there is little to prevent him from simply hashing the original ISO and feeding you that result (perhaps while also reading from the USB drive and piping it into /dev/null so that you see the light on the USB drive blinking to support the illusion that the data is being read from the USB drive).

Therefore, in order to make things a bit more difficult for your hypothetical adversary, you may instead wish to perform the re-verification in an environment that has never seen the original ISO, e.g., a separate offline computer or a fresh VM the storage space of which is too small to hold the ISO. (Note: If you’re doing this in Qubes, you can attach the block device from sys-usb to a separate new qube. You don’t have to perform the re-verification directly in sys-usb.) In that case, you’ll have to obtain the size of the ISO in bytes and enter it into the above command manually. You can, of course, obtain the size by simply using the stat -c %s /path/to/iso command from above on the machine that has the ISO. You can also obtain it from the Qubes website by hovering over any ISO download button on the downloads page. (You can also view these values directly in the downloads page’s source data.) Once you have the exact size of the ISO in bytes, simply insert it into the same command, for example:
$ dd if=/dev/sdX bs=1M count=5791285248 iflag=count_bytes | sha256sum
If you wish to compute the values of other hash functions, you can replace sha256sum, e.g., with md5sum, sha1sum, or sha512sum.

In addition to checking hash values, you can also use GnuPG to verify the detached PGP signature directly against the data on the USB drive. (This assumes you’re already familiar with how to verify detached PGP signatures on Qubes ISOs.)
$ dd if=/dev/sdX bs=1M count=<ISO_SIZE> iflag=count_bytes | gpg -v --verify Qubes-RX-x86_64.iso.asc -
gpg: Signature made Thu 14 Jul 2022 08:49:38 PM PDT
gpg:                using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: using pgp trust model
gpg: Good signature from "Qubes OS Release X Signing Key" [full]
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
5523+0 records in
5523+0 records out
5791285248 bytes (5.8 GB, 5.4 GiB) copied, 76.6013 s, 75.6 MB/s
(Where /dev/sdX is your USB drive, <ISO_SIZE> is the size of the original ISO in bytes, and Qubes-RX-x86_64.iso.asc is the detached signature file of the original ISO.)

This command reads the exact number of bytes from your USB drive as the size of the original ISO and pipes them into gpg . The usual form of a gpg verification command is gpg --verify <SIGNATURE> <SIGNED_DATA> . Our command is using shell redirection in order to use data from your USB drive as the <SIGNED_DATA> , which is why the - at the end of the command is required. Remember that you still must have properly imported and trusted the QMSK and appropriate RSK in order for this to work. You should receive a Good signature message for the appropriate RSK, which should be signed by a copy of the QMSK that you previously confirmed to be genuine.

Skatoskatosimos · December 31, 2023, 11:52am

That is exactly what i was looking for but i have another question lets say my base system that i installed qubes was compromised and i wanted to verify the qubes on another computer the hash would probably be the same. How could i
Install on 3 different computers 3 isos verify it and then check it with the original flashed usb drive. The thought here is if the base is compromised and written a malicious iso that one or more of these other computer could spot it.

adw · December 31, 2023, 12:22pm

It sounds like you’re asking for a way to verify whether an installed OS (not an ISO file or an installer device to which an ISO file has been written) is “clean” or has been compromised. To my knowledge, that is not possible today on any computing system that can practically be used by regular people like you and me.

Skatoskatosimos · December 31, 2023, 3:29pm

I actually mean install qubes on 1st device verify and write to the drive, 2st computer install verify signatures and then somehow verify that this qubes that just installed is the same as that of the drive because the 1st computer could be compromised and show fake signatures and possibilities are endless for the attacker. Is there someway to verify with multiple computers that the qubes iso is legit? If the iso is for example 0101 this is written to the drive but it could be malicious thats why my idea is to check on multiple computers install and then verify the downloaded isos with the drive if it fails it means that one or more are compromised.

adw · January 2, 2024, 2:16am

It’s still not clear to me whether you’re asking about:

Using a different computer to verify Qubes OS after it has already been installed
or
Using a different computer to verify the installer device after you’ve written the ISO to it.

I’m not aware of a good way to accomplish (1), but (2) is already covered step-by-step in the part of the documentation I quoted and link to above.