Cannot verify integrity of Woody
I'm a Debian newbie preparing to make the jump from Red Hat and am
running into the following immediate obstacles. I've downloaded some
files from http://ftp.us.debian.org/debian/dists/testing/.
# gpg --verify Release.gpg
gpg: no signed data
gpg: can't hash datafile: file open error
Okay, let's rename Release.gpg:
# mv Release.gpg Release.sig
# gpg --verify Release.sig
gpg: Signature made Sun 16 Dec 2001 01:41:06 PM PST using DSA key ID
B8AE9B77
gpg: Can't check signature: public key not found
No key? Let's try keyring.debian.org:
# gpg --keyserver keyring.debian.org --verify Release.sig
gpg: Signature made Sun 16 Dec 2001 01:41:06 PM PST using DSA key ID
B8AE9B77
gpg: requesting key B8AE9B77 from keyring.debian.org ...
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: Can't check signature: public key not found
How do I verify the validity of the signature without a key? I can't
find a key anywhere on the Debian website. A readme file next to the
Release.gpg file which explains where the key is (or isn't) would be
very helpful.
Moving on, let's presume for the moment that
http://ftp.us.debian.org/debian/dists/testing/Release is genuine. I see
it contains both MD5Sum and SHA1 hashes. This is good, because MD5 has
been broken. But how do I verify an SHA1 hash? I don't know what I'm
expected to use. A search on Freshmeat turns up shasum. Okay, I
install shasum.
# shasum -c Release
Here's an excerpt from its output:
17658 main/disks-i386/current/md5sum.txt: No such file or directory
But the file is there:
# ls main/disks-i386/current/md5sum.txt
main/disks-i386/current/md5sum.txt
Alright, let's do it manually:
# shasum main/disks-i386/current/md5sum.txt
3e3b7c8e849126da7095a93249946e6153ead8ec
main/disks-i386/current/md5sum.txt
# grep main/disks-i386/current/md5sum.txt Release
a7310d89b38926b676db36462e78d1d5 17658
main/disks-i386/current/md5sum.txt
926a4a4bda00d568f5e4df73b0bead421eeaceed 17658
main/disks-i386/current/md5sum.txt
Oops! They don't match! Let's try md5sum just to make sure there's
nothing obviously wrong going on here:
# md5sum main/disks-i386/current/md5sum.txt
a7310d89b38926b676db36462e78d1d5 main/disks-i386/current/md5sum.txt
That does match (but MD5 cannot be trusted).
So you see, I haven't gotten very far installing Woody. :-(
What should I do?
Neologism
Reply to: