How to Verify Debian Mobian Images Using GPG

Ensuring the integrity of downloaded Debian Mobian images is paramount for a secure and reliable installation. By verifying the images using GPG (GNU Privacy Guard), you can confirm that the files have not been tampered with during the download process and that they originate from a trusted source. This comprehensive guide, provided by revWhiteShadow, will walk you through the necessary steps to successfully verify your Mobian images, addressing common issues like missing public keys and keyserver failures, offering robust solutions for a secure experience.

Understanding the Importance of Image Verification

Before diving into the verification process, it’s crucial to understand why it’s necessary. Downloading operating system images from the internet carries inherent risks. Malicious actors could potentially distribute modified images containing malware or backdoors. Verifying the image against the official signatures ensures that you are using an authentic and untampered copy of Mobian. GPG provides a mechanism to cryptographically verify the authenticity and integrity of the images, ensuring a safe and secure installation process. This is crucial for protecting your system and data from potential threats.

Prerequisites for Verification

Before proceeding, ensure you have the following:

  • A Debian-based system (or any Linux distribution with GPG installed). While the example shows Pop!_OS, any similar environment will work.
  • GPG (GNU Privacy Guard) installed. Most Debian-based systems come with GPG pre-installed. If not, install it using sudo apt update && sudo apt install gnupg.
  • The Mobian image file (e.g., mobian-librem5-plasma-mobile-*.img.xz or .iso).
  • The corresponding SHA256 checksum file (e.g., mobian-librem5-plasma-mobile-*.sha256sums).
  • The GPG signature file for the checksum file (e.g., mobian-librem5-plasma-mobile-*.sha256sums.sig). These files should be located in the same directory as your downloaded Mobian image.

Downloading the Necessary Files

Navigate to the official Mobian download page to obtain the image, checksum file, and signature file corresponding to your desired version. Ensure that the SHA256 checksum and signature file are downloaded from the same trusted source as the image itself. Double-check that the filenames match the image you intend to verify. Incorrectly matched files will result in verification failures. For example, if you downloaded the mobian-librem5-plasma-mobile-20250803.img.xz image, ensure you also download the mobian-librem5-plasma-mobile-20250803.sha256sums and mobian-librem5-plasma-mobile-20250803.sha256sums.sig files.

Importing the Mobian Project Signing Key

The first step in the verification process is importing the Mobian project’s GPG signing key. This key is used to sign the checksum file, and you need it to verify the signature. The error messages received indicate that the public key is not available on your system, hence the “Can’t check signature: No public key” message. Further, fetching the key from keyservers failed. This could be due to keyserver unavailability or network issues. There are multiple ways to import the key, and we will outline a reliable method.

Identifying the Key ID

The signing key ID is typically included in the GPG output when you attempt to verify the signature. In the example, the key ID is 970B1DD5FF63506F85001159951D61F2BC232697. Another key 393F924A855FB27D was skipped due to the lack of a User ID, which is not relevant for the verification process. Extract and use the key 970B1DD5FF63506F85001159951D61F2BC232697.

While the original attempt to import the key from hkp://pool.sks-keyservers.net failed, try using a different keyserver. The SKS keyserver pool has become unreliable. Try using keyserver.ubuntu.com or keys.openpgp.org instead.

Run the following command:

gpg --keyserver keyserver.ubuntu.com --recv-keys 970B1DD5FF63506F85001159951D61F2BC232697

or

gpg --keyserver keys.openpgp.org --recv-keys 970B1DD5FF63506F85001159951D61F2BC232697

This command instructs GPG to retrieve the public key with the specified ID from the Ubuntu keyserver or keys.openpgp.org. If successful, GPG will display information about the imported key.

Importing the Key from a File (Alternative)

If keyserver access is consistently failing, you can try importing the key from a file. You’ll first need to obtain the key file.

  1. Download the Key File: Obtain the key file from a trusted source. You might find it on the Mobian project’s website or a reliable forum. The key file typically has a .gpg or .asc extension. Since a direct link may change, the best approach is to search on the Mobian website for “GPG key” or “signing key.”

  2. Import the Key: Once you have the key file (e.g., mobian-signing-key.gpg), import it using the following command:

    gpg --import mobian-signing-key.gpg

Verifying the Imported Key’s Fingerprint

After importing the key, it is crucial to verify its fingerprint to ensure that you have indeed imported the correct key and that it has not been tampered with during the download. Obtain the official fingerprint from the Mobian project’s website. Then, run the following command to display the fingerprint of the imported key:

gpg --fingerprint 970B1DD5FF63506F85001159951D61F2BC232697

Compare the displayed fingerprint with the official fingerprint provided by the Mobian project. If they match, you can be confident that you have imported the correct key. If they do not match, delete the key and repeat the import process, ensuring that you are using a trusted source for the key file.

Verifying the Checksum File Signature

Once you have successfully imported the Mobian project’s signing key, you can proceed to verify the signature of the checksum file. This confirms that the checksum file itself has not been altered and that it was signed by the Mobian project. Use the following command:

gpg --verify mobian-librem5-plasma-mobile-20250803.sha256sums.sig mobian-librem5-plasma-mobile-20250803.sha256sums

Replace mobian-librem5-plasma-mobile-20250803.sha256sums.sig and mobian-librem5-plasma-mobile-20250803.sha256sums with the actual filenames of your signature and checksum files.

A successful verification will output a message similar to:

gpg: Signature made Sat 02 Aug 2025 06:51:28 PM MST
gpg:                using RSA key 970B1DD5FF63506F85001159951D61F2BC232697
gpg:                issuer "admin@mobian-project.org"
gpg: Good signature from "Mobian Project <admin@mobian-project.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 970B 1DD5 FF63 506F 8500  1159 951D 61F2 BC23 2697

The “Good signature” message indicates that the signature is valid and that the checksum file has not been tampered with. The warning about the key not being certified with a trusted signature is normal if you have not personally signed the key. This warning does not invalidate the verification; it simply means that you have not personally verified the identity of the key owner.

Generating and Verifying the Checksum

Now that you have verified the signature of the checksum file, you can use it to verify the integrity of the Mobian image file. This involves generating the SHA256 checksum of the downloaded image and comparing it to the checksum listed in the verified checksum file.

Generating the SHA256 Checksum

Use the sha256sum command to generate the SHA256 checksum of the Mobian image file.

sha256sum mobian-librem5-plasma-mobile-20250803.img.xz

Replace mobian-librem5-plasma-mobile-20250803.img.xz with the actual filename of your Mobian image file. The command will output a long string of hexadecimal characters followed by the filename. This is the SHA256 checksum of your downloaded image.

Comparing the Checksums

Open the checksum file (e.g., mobian-librem5-plasma-mobile-20250803.sha256sums) in a text editor. It will contain a list of checksums and their corresponding filenames. Find the line that corresponds to your Mobian image file. Compare the checksum in the file to the checksum you generated using the sha256sum command.

If the checksums match exactly, then your Mobian image file is verified and has not been tampered with. You can proceed with the installation process with confidence. If the checksums do not match, then your image file is either corrupted or has been tampered with. Do not use the image file and download it again from the official Mobian website. Repeat the verification process to ensure that the newly downloaded image is valid.

Troubleshooting Common Verification Issues

“No public key” Error

This error indicates that you have not imported the Mobian project’s signing key into your GPG keyring. Follow the steps outlined in the “Importing the Mobian Project Signing Key” section to import the key from a keyserver or a file.

“keyserver receive failed” Error

This error indicates that GPG was unable to connect to the specified keyserver. This could be due to network connectivity issues, a temporary outage of the keyserver, or the keyserver being blocked by your firewall. Try using a different keyserver as described earlier or importing the key from a file. Check your network connection and firewall settings to ensure that GPG can connect to the internet.

“Bad signature” Error

This error indicates that the signature of the checksum file is invalid. This could be due to a corrupted signature file, a mismatch between the signature file and the checksum file, or an incorrect signing key. Ensure that you have downloaded the signature file and checksum file from the same trusted source and that they correspond to the Mobian image file you are trying to verify. Verify that you have imported the correct signing key.

Checksum Mismatch

If the checksum you generate for the Mobian image file does not match the checksum in the checksum file, it means that the image file is either corrupted or has been tampered with. Download the image file again from the official Mobian website and repeat the verification process. Ensure that you have downloaded the entire image file and that the download process was not interrupted.

Automating the Verification Process

For advanced users, scripting the verification process can streamline the process. Here’s a sample bash script that automates the steps:

#!/bin/bash

IMAGE="mobian-librem5-plasma-mobile-20250803.img.xz"
SHA256SUMS="mobian-librem5-plasma-mobile-20250803.sha256sums"
SHA256SUMS_SIG="mobian-librem5-plasma-mobile-20250803.sha256sums.sig"
KEY_ID="970B1DD5FF63506F85001159951D61F2BC232697"

# Import the key
gpg --keyserver keyserver.ubuntu.com --recv-keys $KEY_ID

# Verify the signature
gpg --verify "$SHA256SUMS_SIG" "$SHA256SUMS"

# Generate the checksum
CHECKSUM=$(sha256sum "$IMAGE" | awk '{print $1}')

# Extract the expected checksum from the sums file
EXPECTED_CHECKSUM=$(grep "$IMAGE" "$SHA256SUMS" | awk '{print $1}')

# Compare checksums
if [ "$CHECKSUM" == "$EXPECTED_CHECKSUM" ]; then
  echo "Image verification successful!"
else
  echo "Image verification failed!"
  echo "  Expected: $EXPECTED_CHECKSUM"
  echo "  Actual:   $CHECKSUM"
  exit 1
fi

exit 0

Remember to replace the example filenames with your actual filenames.

Conclusion

Verifying Debian Mobian images using GPG is an essential step in ensuring the security and integrity of your system. By following the steps outlined in this guide, you can confidently verify that your downloaded images are authentic and have not been tampered with. By following revWhiteShadow’s guide, you can ensure a secure and reliable Mobian installation. By taking the time to verify your images, you protect yourself from potential malware and ensure a stable and trustworthy system.

revWhiteShadow hopes that this article was helpful!