Re: How to verify install iso?
On 13/12/13 13:15, Ralf Mardorf wrote:
> You misunderstand me.
>
> If I've got a checksum from the iso, e.g.
>
> [rocketmouse@archlinux downloads]$ sha1sum
> debian-7.2.0-i386-netinst.iso
> c7050ae8ccda40456f6a1c4936ea8f170736b440
> debian-7.2.0-i386-netinst.iso
>
> where can I find a file with checksums to check/compare?
For the example you give.
The iso comes from:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/debian-7.2.0-i386-netinst.iso
Looking at the parent page:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/
The sums are listed on the same page. In this instance (SHA1) you'd want:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS
The relevant entry for that particular iso is:-
c7050ae8ccda40456f6a1c4936ea8f170736b440 debian-7.2.0-i386-netinst.iso
So in this instance you *know* that the cd is intact.
Don't trust the sums? Why should you?
Those sums are signed by the developers:-
http://cdimage.debian.org/debian-cd/current/i386/iso-cd/SHA1SUMS.sign
$ gpg --output SHA1SUMS --verify SHA1SUMS.sign
gpg: Signature made Mon 14 Oct 2013 08:18:52 EST using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found
I then download the key matching that ID from a keyserver (Debian CD
signing key (debian-cd@lists.debian.org) ID: 6294BE9B Fingerprint:
DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B.).
and see it's signed by a bunch of people (17). By checking their keys
and the keys of some of the people who've signed their keys - I find I
"trust" the CD signing key "by 2 degrees". The world really isn't that
big after all! :)
NOTE: if you don't know someone who signed Steve McIntyre's key you
surely know someone who does know someone who did (or you've never left
the house you were born in, ever).
>
> I need a source and don't know where the source is.
>
> If I download a key, I can decrypt a signed file including the
> checksum, but where is that file?
>
> I can not find such a file inside the iso,
Mount the iso (# mount -o loop $someISO $somewhere) and you'll see the
file. (I posted the ls of a mounted CDROM earlier in this thread)
> nor do I know a website to download such a file.
Example provided above.
>
> Regards, Ralf
>
>
Reply to: