[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can we get a signature for armhf SD-card images?

On 2023-01-31, Larry Doolittle wrote:
> Friends -
> I looked and wasn't able to find a digital signature for
> the SHA256SUMS file in
>   http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/
> or
>   http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/

Take a look at:


The Release file is signed(either inline as InRelease or detatched as
Release.gpg), and has checksums for the relevent SHA256SUMS files that
you are looking for...

> Am I blind?

It is admittedly a bit indirect and non-obvious, having to download a
Release file, check the signature on that, then download the relevent
SHA256SUMS files and check their checksums with the (verified) Release
file... but there is at least a chain of verifyability...

> Can the process be adjusted to generate such a signature file?

It would be nice to have fewer steps to verify, because any complicated
verification process quickly downgrades to no verification process...

live well,

Attachment: signature.asc
Description: PGP signature

Reply to: