23. 12. 2020 Andrea Avancini NetEye

How to Verify the Integrity of Your NetEye 4 ISO Image

When installing our favorite Linux distribution, the first thing we do is download the official installation image, an ISO file, from the distribution website or a third party site. Imagine for example that CentOS has just released a new version, and we are eager to give this new version a try by performing a fresh install on one of our machines. So we access the official CentOS website and download the latest ISO image from the download section.

NetEye 4, as you know, is based on CentOS, is also distributed via ISO images and, as in the case of CentOS, NetEye 4 ISO images can be downloaded from the NetEye download site.

Having obtained the ISO image, we can now start to install the OS, right?

No, Wait Just a Moment…

Before starting with the installation, however, it’s fundamental that we verify the integrity of the downloaded image to ensure that it is what it claims to be and that nobody has tampered with it. In fact, if there’s a cyberattack, tampered file images may be placed on official websites and then downloaded by unaware end users. Some time ago, Linux Mint’s website was hacked, and a tampered version of the ISO image with a backdoor in it was published. Thankfully, the response in solving the issue was extremely fast, but generally speaking, when things like this happen, there may be severe consequences. The lesson we can learn here is the importance of verifying downloaded ISO images before using them.

Verifying NetEye 4 ISO images

Like most of the popular Linux distributions, NetEye also includes signed checksum files that can be downloaded along with the ISO images. These are fundamental files that are used to verify NetEye ISO images.

There are basically two steps in the verification process:

  1. Import the public GPG key and verify the signature of the file containing the checksum of the ISO file
  2. Verify that the checksum is the same as the one calculated from the actual ISO file

Let’s take a look at the verification process.

Import the Public GPG Key

Our public GPG key can be downloaded from this very same blog by visiting the download section under NetEye ➝ GPG public key ➝ public-gpg-key. Once you have extracted the key from the archive, you can import it to your keyring:

$ gpg --import public.gpg

Verify the Public Key

Next, check the fingerprint of the imported key:

$ gpg --fingerprint net.support@wuerth-phoenix.com

The fingerprint must match the following one (it can be found in the same download section where you found our public key):

pub 4096R/1A0C0C60 2020-09-29 [expires: 2030-09-27]
Key fingerprint = E610 174A 971E 5643 BC89 A4C2 B677 7D15 1A0C 0C60

Download the Signed Checksum File

Assuming you already downloaded the NetEye 4.15 ISO image, you must download, from the same website, the file containing the checksums of the ISO files hosted at that specifc page: sha256sum.txt.asc.

This is an armored ASCII file, which can be copied and pasted around to guarantee maximum portability (at the expense of the resulting size of the file) when transmitting keys and signatures. In fact, if you try to open the file, you will see that the file looks identical to a normal text file.

Imagine you want to sign a file that has the following content:

$ cat xmas.txt
Merry xmas and happy new year

If you clearsign the file with your private key, what you get is:

$ cat xmas.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Merry xmas and happy new year
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v x.y.z (GNU/Linux)
...
K7+fkHzYjcmbtf5KAMnJP2ieQLwwrMuRN/GsUUmgdLszor67WP5
o4JEdXKnrErFBUeMaNs=
=e17S
-----END PGP SIGNATURE-----

As you can see, the contents of the file is still visible in its signed form.

Verify the Signed File

Let’s get back to our verification procedure: you have obtained the sha256sum.txt.asc file, and now you would like to verify it:

gpg --verify sha256sum.txt.asc

The output of the above command is:

gpg: Signature made Tue 29 Sep 2020 03:50:01 PM CEST
gpg:               using RSA key B6777D151A0C0C60
gpg: Good signature from "Wuerth Phoenix <net.support@wuerth-phoenix.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E610 174A 971E 5643 BC89  A4C2 B677 7D15 1A0C 0C60

As you can see from the output, the signature looks good, but

There is no indication that the signature belongs to the owner

This is expected and perfectly normal. If you remember, in one of the previous steps you imported the NetEye 4 public key into your keyring. Even when manually importing a key, there is no proof that the key belongs to its owner, and we didn’t explicitly declare it as trusted. Assuming that you downloaded the key from the NetEye blog, you can trust it.

Verify the ISO Image You Downloaded

Let’s put the neteye4.15-centos.stable.iso and the sha256sum.txt.asc files in the same folder. We can now verify the ISO file with the following command:

sha256sum -c sha256sum.txt.asc 2>&1 | grep OK

The output will be something like this:

neteye4.15-centos7.stable.iso: OK

At this point, we can be sure that the ISO file we downloaded is what we expect it to be, NetEye version 4.15, and that the file is not corrupted.

If instead you obtain output that is different from OK, you should first try to download the file again (it may be that the file was corrupted during the download itself). If the error persists, feel free to contact us for help!

Conclusions

In this blog post, we discussed on how to verify the NetEye ISO images to avoid unexpected security problems. Security is a hot topic these days, and it’s fundamental to pursue the highest security standards, as we try to do in our daily work.

Thanks for your attention, I wish you a…

$ cat xmas.txt
Merry xmas and happy new year
Andrea Avancini

Andrea Avancini

DevOps Engineer at Würth Phoenix
Loving understanding of how things work, how things can be automated, and how to apply new technologies when needed. Passionate about technology, open-source software, and security. I found Würth Phoenix the right place for this. In the past, I co-founded a cybersecurity startup that produces security solutions for mobile apps and blockchain. Previously, I worked as researcher at Fondazione Bruno Kessler of Trento. My research was mainly focused on web and mobile app security and testing. I got my PhD in Computer Science at the University of Trento.

Author

Andrea Avancini

Loving understanding of how things work, how things can be automated, and how to apply new technologies when needed. Passionate about technology, open-source software, and security. I found Würth Phoenix the right place for this. In the past, I co-founded a cybersecurity startup that produces security solutions for mobile apps and blockchain. Previously, I worked as researcher at Fondazione Bruno Kessler of Trento. My research was mainly focused on web and mobile app security and testing. I got my PhD in Computer Science at the University of Trento.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive