On 2023-01-31, Larry Doolittle wrote: > Friends - > > I looked and wasn't able to find a digital signature for > the SHA256SUMS file in > http://ftp.debian.org/debian/dists/bullseye/main/installer-armhf/current/images/ > or > http://ftp.debian.org/debian/dists/bookworm/main/installer-armhf/current/images/ Take a look at: https://ftp.debian.org/debian/dists/bullseye/Release The Release file is signed(either inline as InRelease or detatched as Release.gpg), and has checksums for the relevent SHA256SUMS files that you are looking for... > Am I blind? It is admittedly a bit indirect and non-obvious, having to download a Release file, check the signature on that, then download the relevent SHA256SUMS files and check their checksums with the (verified) Release file... but there is at least a chain of verifyability... > Can the process be adjusted to generate such a signature file? It would be nice to have fewer steps to verify, because any complicated verification process quickly downgrades to no verification process... live well, vagrant
Attachment:
signature.asc
Description: PGP signature