Re: How to verify install iso?

To: debian-user@lists.debian.org
Subject: Re: How to verify install iso?
From: Zenaan Harkness <zen@freedbms.net>
Date: Fri, 13 Dec 2013 13:20:27 +1100
Message-id: <[🔎] CAOsGNSTzU3A0MHXa2zt_XR1pNwNb5+z55EMgY5-BXbnHcQQxgg@mail.gmail.com>
In-reply-to: <[🔎] 1386898867.688.83.camel@archlinux>
References: <[🔎] 1386896344.688.74.camel@archlinux> <[🔎] 52AA6277.8080104@gmail.com> <[🔎] 1386898867.688.83.camel@archlinux>

On 12/13/13, Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> On Fri, 2013-12-13 at 12:27 +1100, Scott Ferguson wrote:
>> - you can also use the installer to self-check.
>
> If it's compromised a self-check could be done compared with what ever
> source.

True.

But have you done a self-check. This a first step:
check SHAs.

OR self-check the digital signature of the Release.gpg file for your
release (eg Jessie).

See eg .../debian?/dists/jessie/Release.gpg

Your next step is to satisfy yourself that the signature/fingerprint
of the key you are using for self-checking of a CD for example, is
"safe".

So you need a sense of safety from the Debian Developers and their
network or not-network servers. This is a "take for granted" type
thing for me at the moment.

The next level of improvement in your sense of "safety" of the archive
signing key, is to check its fingerprint on eg, this site:

> http://www.debian.org/CD/verify.en.html
> http://www.debian.org/CD/verify.de.html

eg:
"
pub   4096R/64E6EA7D 2009-10-03
      Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid                  Debian CD signing key <debian-cd@lists.debian.org>
"

For example, if you check the Debian signing key fingerprint from a
few random Debian mirrors, perhaps through a TOR proxy to some
overseas/ other country Debian mirror website, then you should be
_reasonably_ comfortable at that point, that the key fingerprint on
your machine or on your particular CD ISO, is in fact the "real
Debian" one.

The next level of improvement in your sense of safety regarding a
particular key (you are concerned that global internet monitoring and
NSA/KGB/etc bodies are all colluding to present to you a FAKE debian
archive signing key, from ALL the websites you have accessed, via
whichever network transport layers (direct through ISP, proxy through
TOR etc) you have checked through), is to physically build your GPG
"web of trust" or "chain of trust" - eg, host a keysigning party, and
invite a Debian Developer in your area.

At this point, your efforts would probably be best spent working to
become a debian developer, and to assist with development and auditing
of various "important" packages in the Debian archive.

You also might consider to rebuild various "important" packages and
libraries, eg GnuPG and those libs which do MD5 and SHAx hashing, and
verifying that you can create bit-identical versions, or at least
re-run your SHA and signature verification process using your custom
build libraries, and making sure you get the same verifications.

At that point, you might install some very old version of Debian (from
say 7 years ago), then build the libraries required to build the
"modern" libraries (or rather, library versions) for your SHA and GPG
sig key checking, and check your modern iso/archive veracity on that
old Debian installation.

At this point, you should have a pretty high level of certainty around
the veracity of the GPG keys and signatures and SHA signatures etc.

Good luck :)
Zenaan

Reply to:

Follow-Ups:
- Re: How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>

References:
- How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: How to verify install iso?
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>

Prev by Date: Re: How to verify install iso?
Next by Date: Re: How to verify install iso?
Previous by thread: Re: How to verify install iso?
Next by thread: Re: How to verify install iso?
Index(es):
- Date
- Thread