Re: How to verify install iso?

To: debian-user@lists.debian.org
Subject: Re: How to verify install iso?
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Fri, 13 Dec 2013 14:22:28 +1100
Message-id: <[🔎] 52AA7D74.40106@gmail.com>
In-reply-to: <[🔎] 1386900940.688.97.camel@archlinux>
References: <[🔎] 1386896344.688.74.camel@archlinux> <[🔎] 52AA6277.8080104@gmail.com> <[🔎] 1386898867.688.83.camel@archlinux> <[🔎] 52AA6B99.3020100@gmail.com> <[🔎] 1386900940.688.97.camel@archlinux>

On 13/12/13 13:15, Ralf Mardorf wrote:
> You misunderstand me.
> 
> If I've got a checksum from the iso, e.g.
> 
> [rocketmouse@archlinux downloads]$ sha1sum 
> debian-7.2.0-i386-netinst.iso 
> c7050ae8ccda40456f6a1c4936ea8f170736b440
> debian-7.2.0-i386-netinst.iso
> 
> where can I find a file with checksums to check/compare?

For the example you give.

The iso comes from:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/debian-7.2.0-i386-netinst.iso

Looking at the parent page:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/

The sums are listed on the same page. In this instance (SHA1) you'd want:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS

The relevant entry for that particular iso is:-
c7050ae8ccda40456f6a1c4936ea8f170736b440  debian-7.2.0-i386-netinst.iso

So in this instance you *know* that the cd is intact.

Don't trust the sums? Why should you?
Those sums are signed by the developers:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS.sign

$ gpg --output SHA1SUMS --verify SHA1SUMS.sign
gpg: Signature made Mon 14 Oct 2013 08:18:52 EST using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found

I then download the key matching that ID from a keyserver (Debian CD
signing key (debian-cd@lists.debian.org) ID: 6294BE9B Fingerprint:
DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B.).
 and see it's signed by a bunch of people (17). By checking their keys
and the keys of some of the people who've signed their keys - I find I
"trust" the CD signing key "by 2 degrees". The world really isn't that
big after all! :)

NOTE: if you don't know someone who signed Steve McIntyre's key you
surely know someone who does know someone who did (or you've never left
the house you were born in, ever).

> 
> I need a source and don't know where the source is.
> 
> If I download a key, I can decrypt a signed file including the
> checksum, but where is that file?
> 
> I can not find such a file inside the iso,

Mount the iso (# mount -o loop $someISO $somewhere) and you'll see the
file. (I posted the ls of a mounted CDROM earlier in this thread)

> nor do I know a website to download such a file.

Example provided above.

> 
> Regards, Ralf
> 
>

Reply to:

References:
- How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: How to verify install iso?
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: How to verify install iso?
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: How to verify install iso?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>

Prev by Date: Re: How to verify install iso?
Next by Date: [solved] How to verify install iso?
Previous by thread: Re: How to verify install iso?
Next by thread: Re: How to verify install iso?
Index(es):
- Date
- Thread